-
Notifications
You must be signed in to change notification settings - Fork 23
Request for box's Amazon S3 region was denied #38
Comments
If I try uploading this to a bucket also in
So, this leads me to think that the issue has to do with the cross-account IAM permissions and/or the bucket policy on the original bucket. |
I am still fighting this issue and continue to suspect an issue accessing the bucket across accounts. To rule out an issue with the age of the I'm not familiar with the ruby toolchain, but it did seem to build and install. Behavior was unchanged. I also changed the Further, I tried using the |
Possible solution: I noticed some issues with region handling in the past and in particular this change. When I backed out the change and also while using version 2.11.150 of the aws-sdk-ruby, my download issues were resolved. In my working configuration util.rb lines 32-34 are now: def self.s3_client(region = DEFAULT_REGION)
::Aws::S3::Client.new(region: region, force_path_style: true)
end @benesch any ideas why this works? |
Hello. Has there been any fix or workaround for this? I'm also having great difficulty getting a Metadata box to download from s3 in a cross-account scenario due to "Request for box's Amazon S3 region was denied". I'm using Vagrant 2.2.4, vagrant-s3auth 1.3.2 I'll give my issue here in case it helps. The box is in an s3 bucket in Account A, region eu-west-1. My user has access to the bucket through a combination of bucket policy and IAM roles as explained here by AWS
A bucket policy in Account A delegates access to Account B:
My IAM user in Account B has a policy granting me access:
I can access the box manifest and the box it points to on the cli:
I can also download it (GetObject):
I can get its location
Yet the only way I can get Vagrant to access the box is to make both the manifest and the box it points to public. Things I've tried: In the Vagrantfile I've set
I tried using different assumerole profile in the Vagrantfile
This profile is set up in my ~/.aws/config. All the aws cli commands above work using this profile. I tried setting env vars AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Same result. I tried all the possible s3 bucket URL formats. Same result. I should mention that the s3 objects are created and owned by a third account "Account C: where we build the images with Packer and upload using the vagrant-s3 plugin. We set "bucket-owner-full-contriol" ACL. The object ACLs are as follows:
Here's the debug log output with redacted items capitalized.
Even if there isn't a fix for this exact issue, is there some workaround? Having to make our boxes public is not feasible. Thank you. |
@darrenob I can't tell if you are having the same problem that I am, but have you tried changing |
Thanks @stevenscg. In the end I moved the Vagrant boxes to an s3 bucket in the same account as the IAM user running vagrant up and that worked around the issue. I didn't try the change to I will keep an eye on this thread as cross-account access using vagrant-s3auth seems like a core requirement. If it ever comes back I will definitely make use of it. |
@stevenscg
@darrenob $ less -N ~/.vagrant.d/gems/2.4.9/gems/vagrant-s3auth-1.3.2/lib/vagrant-s3auth/util.rb
1 require 'aws-sdk'
2 require 'log4r'
3 require 'net/http'
4 require 'uri'
5
6 module VagrantPlugins
7 module S3Auth
8 module Util
9 S3_HOST_MATCHER = /^((?<bucket>[[:alnum:]\-\.]+).)?s3([[:alnum:]\-\.]+)?\.amazonaws\.com$/
10
11 # The list of environment variables that the AWS Ruby SDK searches
12 # for access keys. Sadly, there's no better way to determine which
13 # environment variable the Ruby SDK is using without mirroring the
14 # logic ourself.
15 #
16 # See: https://github.com/aws/aws-sdk-ruby/blob/ab0eb18d0ce0a515254e207dae772864c34b048d/aws-sdk-core/lib/aws-sdk-core/credential_provider_chain.rb#L42
17 AWS_ACCESS_KEY_ENV_VARS = %w(AWS_ACCESS_KEY_ID AMAZON_ACCESS_KEY_ID AWS_ACCESS_KEY).freeze
18
19 #DEFAULT_REGION = 'us-east-1'.freeze
20 DEFAULT_REGION = ENV['AWS_REGION'].freeze
21
22 LOCATION_TO_REGION = Hash.new { |_, key| key }.merge(
23 '' => DEFAULT_REGION,
24 'EU' => 'eu-west-1'
25 ) then it seems working
I am not sure if this modification is okay against the vagrant-s3auth specification( I do not code ruby often ), if the plugin absolutely needs 'us-east-1' as default region value, cheers |
I have been using this plugin without issue for several years. But recently, we've started to run into the following error with
Vagrant v2.1.5
and probablyVagrant v2.1.4
. Plugin version1.3.2
.The actual bucket is in
us-west-2
and has always been.We have tried multiple formats of the url per the recommendations in the README.
We are using
.aws/credentials
and.aws/config
files per AWS recommendations.We can download using the
aws s3 cp ....
syntax on the command line with same credentials.I've looked at our IAM permissions several times. They appear to be correct and have not changed in several years of using this plugin.
The bucket is owned by another AWS account and IAM policies in both accounts appear to be correct.
I am still looking for the issue and will update this if I find anything.
The text was updated successfully, but these errors were encountered: