Thanks Sajan,

It isnít the IAM configuration that is the problem. What Iím trying to do is use an AWS IAM role, which means I wouldnít need to create a user account or embed static credentials into the s3cmd config file. 

With a role assigned to the EC2 instance, any tools that support roles are automatically provided the needed credentials when they run. The access and secret key are temporary, and not stored in the instance. This is really powerful for autoscaling and bootstrapping securely.

The alternative (which someone posted) is to do some scripting to pull the temp credentials into s3cmd when needed, which is what Iíll try next unless anyone has suggestions for getting IAM role support working (in alpha 3). Thatís similar to your user-based approach, but will use temporary credentials instead. Then I can revoke the role after the system is up and running and not worry about affecting anything else.

Thanks,

Rich Mogull
AIM: Securosis
Skype: rmogull

On Jul 7, 2013, at 2:58 PM, Sajan Parikh <sajan@noppix.com> wrote:

Did you try the config I posted to the list a while ago?  I'd been using that config for a long while without any issues, even before any sort of support in S3Tools.

I created an IAM user, attached the policy I posted before and used the key and secret key for that particular user like normal in s3cmd --configure.

Has worked like a charm for a while, and I haven't updated s3cmd in months.

Sajan Parikh
Owner, Noppix LLC

e: sajan@noppix.com
p: (563) 726-0371

<emailsiglogo.png>
On 07/05/2013 09:45 PM, Rich Mogull wrote:
Sajan,

Here;s the policy Iím using that doesnít seem to work. This is *before* running óconfig, since Iím trying to figure out how to script a cloud-init download of some security credentials. Running "s3cmd lsĒ gives me the access denied error.

Thank you for the help,

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "arn:aws:s3:::<my bucket>"
    }
  ]
}

 

On Jul 4, 2013, at 1:58 PM, Sajan Parikh <sajan@noppix.com> wrote:

Here's something that should get your started.  It would've helped if you showed us what your config currently looks like.

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": [
        "arn:aws:s3:::your-bucket-name",
        "arn:aws:s3:::your-bucket-name/*"
      ],
      "Condition": {}
    }
  ]
}
Sajan Parikh
Owner, Noppix LLC

e: sajan@noppix.com
p: (563) 726-0371

<emailsiglogo.png>
On 07/04/2013 03:19 PM, Rich Mogull wrote:
Does anyone have hints on using s3cmd with IAM roles? I have a role established and assigned to my EC2 instance, but after installing s3cmd I still get access denied. I don't see anything in the documentation. For example, do I need to create a special config file? Is there a command line parameter?

Thanks

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
S3tools-general mailing list
S3tools-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/s3tools-general

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev_______________________________________________
S3tools-general mailing list
S3tools-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/s3tools-general



------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev


_______________________________________________
S3tools-general mailing list
S3tools-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/s3tools-general

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev_______________________________________________
S3tools-general mailing list
S3tools-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/s3tools-general