I have a bucket policy that whitelists my IP ranges in AWS. I have an EC2 server running a Packer build job, which tries to pull an object from my bucket and I am getting a 403 Forbidden error, even though the IP of my EC2 server running the said job is clearly within the whitelisted range. Even when I run wget from a machine within that CIDR range, I get the same error. I am confused why this is happening. The policy seems fine. Below is my bucket policy, the IP of my server, and the error:
Bucket Policy:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::xxxxxxx",
"arn:aws:s3:::xxxxxxx/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"10.x.x.x/12"
]
}
}
}
]
}
Server IP:
10.x.x.x/32
Error:
ui,message, amazon-ebs: "msg": "Error downloading
https://s3.amazonaws.com/xxxxx/yyyy.zip to C:\\temp\\xxx.zip Exception
calling \"DownloadFile\" with \"2\" argument(s): \"The remote server
returned an error: (403) Forbidden.\""
Amazon S3 lives on the Internet.
Therefore, when communicating with S3, your system will be using a Public IP address.
However your policy only includes private IP addresses. That is why it is not working.
Your options are: