I need to upload a file from the S3 bucket, which is a private place. I created the IAM role using the AWS Console, so I have an IAM profile that I assign to running instances. I can get the file from a safe place by providing an authentication object in LaunchConfiguration. This only works if the instance is started using IamInstanceProfile.
"LaunchConfiguration":{
"Type":"AWS::AutoScaling::LaunchConfiguration",
"Metadata":{
"Comment":"Configure the Presentation Tier",
"AWS::CloudFormation::Authentication": {
"S3Access" : {
"type" : "S3",
"buckets":["demo-upload"],
"roleName": "MYS3ROLE"
}
},
"AWS::CloudFormation::Init":{
"config":{
"packages":{
"yum":{
"tomcat6": [],
"java-1.6.0-openjdk-devel" : [],
"tomcat6-webapps" :[],
"tomcat6-admin-webapps" :[],
"tomcat6-docs-webapp" :[],
"curl":[]
}
},
"files":{
"/var/lib/tomcat6/webapps/demo.war" : {
"source" : {"Ref":"WarLoc"},
"owner" : "tomcat",
"group" : "tomcat",
"authentication":"S3Access"
},
"/root/demo.war" : {
"source" : {"Ref":"WarLoc"},
"owner" : "root",
"group" : "root",
"authentication":"S3Access"
},
"/etc/cfn/cfn-hup.conf" : {
"content" : { "Fn::Join" : ["", [
"[main]\n",
"stack=", { "Ref" : "AWS::StackId" }, "\n",
"region=", { "Ref" : "AWS::Region" }, "\n",
"interval=1"
]]},
"mode" : "000400",
"owner" : "root",
"group" : "root"
},
"/etc/cfn/hooks.d/cfn-auto-reloader.conf" : {
"content": { "Fn::Join" : ["", [
"[cfn-auto-reloader-hook]\n",
"triggers=post.update\n",
"path=Resources.LaunchConfiguration.Metadata.AWS::CloudFormation::Init\n",
"action=/opt/aws/bin/cfn-init -s ", { "Ref" : "AWS::StackId" },
" -r LaunchConfiguration ",
" --region ", { "Ref" : "AWS::Region" }, "\n",
"runas=root\n"
]]}
}
},
"services" : {
"sysvinit" : {
"tomcat6":{
"files":["/var/lib/tomcat6/webapps/demo.war"],
"enabled": "true",
"ensureRunning":"true"
},
"cfn-hup":{
"files":["/etc/cfn/cfn-hup.conf","/etc/cfn/hooks.d/cfn-auto-reloader.conf"],
"enabled":"true",
"ensureRunning":"true"
}
}
}
}
}
},
"Properties":{
"ImageId" : { "Fn::FindInMap" : [ "AWSRegionArch2AMI", { "Ref" : "AWS::Region" }, { "Fn::FindInMap" : [ "AWSInstanceType2Arch", { "Ref" : "InstanceType" }, "Arch" ] } ] },
"SecurityGroups" : [ { "Ref" : "InstanceSecurityGroup" } ],
"InstanceType" : { "Ref" : "InstanceType" },
"InstanceMonitoring": "false",
"KeyName" : { "Ref" : "KeyName" },
"AssociatePublicIpAddress" : "true",
"IamInstanceProfile":"arn:aws:iam::MY_ACCOUNT_ID:instance-profile/MYS3ROLE",
"UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
"#!/bin/bash -v\n",
"yum update -y\n",
"# Install Presentation Software\n",
"/opt/aws/bin/cfn-init -s ", { "Ref" : "AWS::StackId" }, " -r LaunchConfiguration ",
" --region ", { "Ref" : "AWS::Region" }, "\n",
"service tomcat6 stop\n",
"rm -rf /var/lib/tomcat6/webapps/demo\n",
"sleep 3\n",
"service tomcat6 start\n",
"sleep 3\n",
"service tomcat6 restart\n",
"/opt/aws/bin/cfn-hup\n",
"/opt/aws/bin/cfn-signal -e $? -r \"Setup complete\" '", { "Ref" : "WaitHandle" }, "'\n"
]]}}
}
},
Is it possible to download files from S3 that are not publicly accessible without starting the machine with IamInstanceProfile.
If I delete "IamInstanceProfile":"arn:aws:iam::MY_ACCOUNT_ID:instance-profile/s3access",and then in /var/log/cfn-init.log, I find the following lines, which I think will not be due to Faiures authentication
ToolError: Failed to retrieve https://s3-us-west-2.amazonaws.com/demo-upload/0.0.1/demo.war: [Errno 404] HTTP Error 404 : <?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>404 - Not Found</title>
</head>
<body>
<h1>404 - Not Found</h1>
</body>
</html>
IamProfile, . , - , - ?