Geek Answers Handbook

Download aws-sdk with STS credentials - 403 error

I am trying to configure Amazon STS (Security Token Service) to create temporary credentials to load the client side on S3.

I can make the code work fine with the passkey generated by the IAM user, but when I replace the passkey / secret key and then add the session token, I get a 403 ban. S3 access logs do not log the attempt.

On the STS side, I generate credentials via aws-sdk for node.js using the same IAM user as mentioned above, the SDK happily generates STS credentials:

let sts = new AWS.STS({apiVersion: '2011-06-15'}); sts.assumeRole({ RoleArn: 'arn:aws:iam::[REMOVED]:role/[REMOVED]', RoleSessionName: [REMOVED (generated by concatenating a few ids)] DurationSeconds: 60 * 20, }, (err, data)=>{ //callback handling });

Download the test code:

 var AWS = require('aws-sdk'); // Load the stream var fs = require('fs'); var body = fs.createReadStream('./helloworld.txt'); AWS.config.update({ region: 'ap-southeast-2', accessKeyId: '[REMOVED]', secretAccessKey: '[REMOVED]', sessionToken: '[REMOVED]' }); // Upload the stream var s3 = new AWS.S3(); s3.putObject({ Body: body, Bucket: '[REMOVED]', Key: 'helloworld.txt' }, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });

aws-sdk version: 2.4.8 node.js: 4.2.3

I tested the role policy, which he expects to use the IAM simulator, which says that this is normal. Tried downloading on the browser side and on the server side using sdk.

I opened S3 CORS (for debugging) to make sure that nothing strange was happening there:

 <?xml version="1.0" encoding="UTF-8"?> <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <CORSRule> <AllowedOrigin>*</AllowedOrigin> <AllowedMethod>PUT</AllowedMethod> <AllowedMethod>GET</AllowedMethod> <AllowedMethod>POST</AllowedMethod> <MaxAgeSeconds>0</MaxAgeSeconds> <ExposeHeader>ETag</ExposeHeader> <ExposeHeader>x-amz-server-side-encryption</ExposeHeader> <ExposeHeader>x-amz-request-id</ExposeHeader> <ExposeHeader>x-amz-id-2</ExposeHeader> <AllowedHeader>*</AllowedHeader> <AllowedHeader>x-amz-acl</AllowedHeader> </CORSRule> </CORSConfiguration>

S3 policy that I opened (again for debugging):

 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "[REMOVED]" ] } ] }

Any ideas?

+5
source share
1 answer

It turns out that the missing configuration was an ACL in the bucket itself, the source ACL allowed my root account to make all changes, I assume that the IAM account where the code was working inherited some kind of permission.

Adding an extra line to load / delete.

Configuration Screenshot

+1
source

More articles:


All Articles