Trying to use a service account on my aws ec2 instance

Ron_Jarrell · December 19, 2019, 8:04pm

I'm using rclone 1.50.2 on centos 7 on an amazon ec2 system.

I recently set this system up to use an instance service account so I didn't have to store my access keys.

Now, doing an "aws s3 ls s3://bucketname" works fine. As does doing a "cp" of a file there, or a "rm" of the file.

Rclone doesn't seem to be falling through to the account though. I get a 302 permission denied for anything I try to sync there. From the documentation, the policy I set was:

(chunk of terraform)

data "aws_iam_policy_document" "mirror-s3-policy" {
  statement {
    actions = [
      "s3:DeleteObject",
      "s3:ListBucket",
      "s3:GetObject",
      "s3:PutObject",
      "s3:PutObjectACL",
      "s3:ReplicateObject",
      "s3:RestoreObject"
    ]

    resources = [
      "${aws_s3_bucket.bucket1.arn}/*",
      "${aws_s3_bucket.bucket1.arn}"
    ]
  }
}

Top of the log file (902 addition errors excluded )

2019/12/19 19:50:08 DEBUG : rclone: Version "v1.50.2" starting with parameters ["rclone" "--log-file
=/tmp/log" "-P" "-vvvv" "--s3-use-accelerate-endpoint" "--s3-region=us-east-2" "--exclude=/8" "--exc
lude=/8*/**" "--exclude=/7" "--exclude=/7*/**" "-L" "--transfers=15" "--checkers=10" "--max-backlog=
200000" "sync" "/mirror/centos" "s3:bucket1/centos/"]
2019/12/19 19:50:08 DEBUG : Using config file from "/root/.config/rclone/rclone.conf"
2019/12/19 19:50:09 DEBUG : 7: Excluded
2019/12/19 19:50:09 DEBUG : 7.6.1810: Excluded
2019/12/19 19:50:09 DEBUG : 7.7.1908: Excluded
2019/12/19 19:50:09 DEBUG : 8: Excluded
2019/12/19 19:50:09 DEBUG : 8-stream: Excluded
2019/12/19 19:50:09 DEBUG : 8.0.1905: Excluded
2019/12/19 19:50:09 INFO  : S3 bucket bucket1 path centos: Waiting for checks
to finish
2019/12/19 19:50:09 INFO  : S3 bucket bucket1 path centos: Waiting for transfe
rs to finish
2019/12/19 19:50:09 ERROR : RPM-GPG-KEY-CentOS-5: Failed to copy: s3 upload: 403 Forbidden: <?xml ve
rsion="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>884DFD81EAF03B65</Request
Id><HostId>gtF9KeWPig8HT5uguQ8D9ObiuJuY6vmGHk4BiXUw+oLVErwv453iyS1c3avYN03BN1skucwaGH8=</HostId></Er
ror>
2019/12/19 19:50:09 ERROR : dir_sizes: Failed to copy: s3 upload: 403 Forbidden: <?xml version="1.0"
 encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>A496D7EB3FF59CC5</Request
Id><HostId>cVvKyqS3jFzyMY3fR3m9Uiuu4JNF3CJlglky4uq7HSIZkyO1ezTf9UmwX95qyEsC7kvo5zAr2ts=</HostId></Er
ror>

The config file is:

[s3]
type = s3
provider = AWS
env_auth = false
region = eu-west-1
acl = public-read
storage_class = STANDARD

Again, the aws cli tool does file operations perfectly fine.

Is there a permission I'm missing? The docs out of date?

ncw · December 21, 2019, 11:49am

Try running with -vv --dump responses to show the http transactions. That will show exactly what rclone is doing and may give you an idea

Ron_Jarrell · December 31, 2019, 6:05am

env_auth = true, even though you're not using environment variables, so it'll query the metadata server. The -dump showed me it wasn't passing any credentials at all, whereas aws -debug s3 showed it as a last resort calling the metadata server, getting the node iam role, and passing that credential blob.

ncw · December 31, 2019, 10:46am

Hmm, so do you think rclone isn't querying the metadata server properly?

That certainly used to work, I wonder if it got broken.

Your logs from above indicate that it was failing on the copy so it must have had a successful listing hence the auth must be working? What made you think there was no auth? There should have been an Authorization: XXXX header (rclone doesn't show the token unless you include auth in your --dump parameter).

Does this work OK?

rclone ls "s3:bucket1/centos/"

Ron_Jarrell · December 31, 2019, 3:37pm

It was working because the bucket had public read on it. So with no auth, it could still read and list. Writing failed. In fact, AWS specifically complains in the response that anonymous access is forbidden. No Authorization header if you set env_auth to false. Setting it to true makes it do the query properly when it falls through everything else.

ncw · December 31, 2019, 3:59pm

OK.

That is probably expected - if you didn't supply any auth in the config then you'll need to set env_auth true. env is the general environment, so environment variables, config files or EC2 metadata server.

Sorry, I mis-understood your previous statement! Yes you need to set env_auth true if you want to use the metadata server.

Get AWS credentials from runtime (environment variables or EC2/ECS meta data if no env vars). Only applies if access_key_id and secret_access_key is blank.
Choose a number from below, or type in your own value
1 / Enter AWS credentials in the next step
\ "false"
2 / Get AWS credentials from the environment (env vars or IAM)
\ "true"
env_auth> 1