I have launched an ec2 instance with IAM role and have associated following policy with IAM role.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::/testbucket/*",
"Effect": "Allow"
}
]
}
However, I keep on getting access denied when I try to download the file using aws cli from within ec2-instance.
aws s3api get-object --bucket testbucket --key file_name file_name
I get message 'allowed' when I simulate the policy and perform action on the objects in bucket. And I can see correct instance profile is attached with instance when I access http://169.254.254/latest-metadata/iam/info
Is there anything obvious I am missing?
I was overlooking a small typo.
"Resource": "arn:aws:s3:::/testbucket/*"
There should be no / before bucket name. Changed it and everything was fine.
"Resource": "arn:aws:s3:::testbucket/*"