Upload a File from EC2 Instance to S3 Bucket (no SSH)

AWS
Tristan SelfLeave a Comment on Upload a File from EC2 Instance to S3 Bucket (no SSH)

Its recommended to manage your EC2 instances via SSM if/when you need console access rather than using SSH which can pose a security risk. Of course if you need to get or put files into the EC2 instance this can be a bit tricky, however if you have an S3 bucket available you can use that to copy the file out of EC2 instance into an S3 Bucket where you can then download to your workstation or to another EC2 instance.

These instructions assume you are using an Ubuntu Linux instance.

Install AWS CLI

Firstly install the AWS CLI to the instance with:

snap install aws-cli --classic

Upload or Download the File via AWS S3

Now we can attempt an upload (or download) by using this command, in this example we’re trying upload a file called “shibboleth-sp.tar.gz” to the “mytestbucket” S3 Bucket.

aws s3 cp shibboleth-sp.tar.gz s3://mytestbucket

If you get an error such as:

upload failed: ./shibboleth-sp.tar.gz to s3://mytestbucket/shibboleth-sp.tar.gz An error occurred (AccessDenied) when calling the PutObject operation: User: arn:aws:sts::349743579714:assumed-role/ec2-ssm-role/i-02bce23456983e56f is not authorized to perform: s3:PutObject on resource: "arn:aws:s3:::mytestbucket/shibboleth-sp.tar.gz" because no identity-based policy allows the s3:PutObject action

You’ll need to ensure that the assumed role that your account is using i.e. SSM-ROLE in this example being the role that your session within EC2 is running under to have PutObject permissions to the S3 Bucket, these need only be temporary however, you can remove them afterwards.

To add the permissions to the Bucket Policy, you can do the following:

AWS S3 → Bucket Name (e.g. sanger-imt-terraform-state) → Permissions

Then click “Edit” under the “Bucket Policy”, and add the following, then click “Save”.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPutObjectFromSpecificRole",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:sts::3497234579714:assumed-role/ec2-ssm-role/i-02bce234c983e56f"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::mytestbucket/*"
        }
    ]
}

Now when you retry the upload, and you should find it is successful.

root@ip-192-168-0-27:/tmp# aws s3 cp shibboleth-sp.tar.gz s3://mytestbucket
upload: ./shibboleth-sp.tar.gz to s3://mytestbucket/shibboleth-sp.tar.gz

You can then remove the bucket policy if you wish.

Related Posts

DNSSEC Explained (with AWS Route53 Hosted Zone Example)

Tristan Self

Prevent AWS CloudFront from Caching a File

Tristan Self

Create an A Record and an Apex (Root) A Record (using Terraform) within Route53

Tristan Self

Leave a Reply

Your email address will not be published. Required fields are marked *