5

I created an IAM role and assigned it to my EC2 instance. I created an IAM role policy and linked it to my S3 bucket. I can now list the files on my S3 bucket using the aws-cli on my EC2 instance.

[[email protected] ~]# aws --region eu-west-1 s3 ls s3://s3-bucket-name
2017-05-02 02:37:39        137 index.html

Now if I try to curl that file I get an access denied error:

[[email protected] ~]# curl https://s3-eu-west-1.amazonaws.com/s3-bucket-name/index.html
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>782176F442A4995A</RequestId><HostId>qZWZTXZdlgtD4BiVYfp5+Mj/gU3UXRiYQmsSyaAhwED1JtzUWs9QKE99RmsQ6w0uDB

Is there a way I could make this curl request work without relaxing the permissions on the S3 bucket? Something like authentication, headers etc etc.

Improve this question
1
  • 1
    curl `aws --region eu-west-1 s3 presign s3://s3-bucket-name/index.html` Commented May 2, 2017 at 3:39

1 Answer 1

Reset to default
7

GET requests to Amazon S3 require an authorization string that uses AWS Signature v4.

See: GET Object

Alternatively, you could create a Pre-Signed URL which has extra parameters and grants time-limited access to an Amazon S3 object. You can generate a Pre-Signed URL with a couple of lines of code and then provide it to users (or use it in an HTML page) to grant temporary access to private objects stored in Amazon S3.

Of course, the easiest way to retrieve data from Amazon S3 is by using API calls or the AWS Command-Line Interface (CLI).

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Presigned url is a great strategy, especially if you're using a library that doesn't let you add headers to the curl command.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.