Closed olsnacky closed 8 years ago
Shoot! It seems to work okay for me: https://travis-ci.org/WhoopInc/vagrant-s3auth/jobs/78511695
Are you able to reproduce in any other regions?
Sorry for the late reply! I was expecting an email notification.
Hmm, this is my vagrantfile:
# -*- mode: ruby -*-
# vi: set ft=ruby :
ENV['AWS_ACCESS_KEY_ID'] = 'XXXX'
ENV['AWS_SECRET_ACCESS_KEY'] = 'XXXX'
ENV['AWS_DEFAULT_REGION'] = 'ap-southeast-2'
unless Vagrant.has_plugin?('vagrant-s3auth')
system('vagrant plugin install vagrant-s3auth') || exit!
exit system('vagrant', *ARGV)
end
Vagrant.configure('2') do |config|
config.vm.box = 'XXXX'
config.vm.box_url = 'https://s3-ap-southeast-2.amazonaws.com/XXXXX'
config.vm.provision "shell", path: "vagrant/provision.sh"
config.vm.provision "shell", path: "vagrant/provision_postgres.sh"
config.vm.boot_timeout = 300
end
Am I not setting the default region correctly?
I added the same file and bucket policy to a new bucket I createdin ap-southeast-1 (https://s3-ap-southeast-1.amazonaws.com/XXX). I received the same error.
I'm not quite sure what happens inside of the tests, but here are my thoughts on what is happening:
What do you mean when you say "they only work when used within the context of the 'ap-southeast-1' region?
In theory the GetBucketLocation request can be completed against US Standard for any bucket.
The credentials only work if the AWS_DEFAULT_REGION is set to 'ap-southeast-2'. Sorry, I wish I could explain it a bit better than that.
I have found a workaround to this issue. I created an IAM policy that I attached to the IAM user that was making the GetBucketLocation request. The policy is:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1442183069000",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
Ah, yes—that is noted somewhere in the README. Though it sounds like parsing the region directly from the S3 URL except when the shorthand URL is used would have saved you this trouble.
Reread your initial filing and realized that the error message did in fact instruct you to allow the GetBucketLocation
action in IAM. Closing because I'm not sure how make this clearer. :-/
I was consistently getting the error:
`Request for box's Amazon S3 region was denied.
This usually indicates that your user account is misconfigured. Ensure your IAM policy allows the "s3:GetBucketLocation" action for your bucket:
Even though I was able to access get-bucket-location through the AWS CLI.
I had to edit the code in util.rb and change the
DEFAULT_REGION
to'ap-southeast-2'
to make the code work. I am not a native ruby speaker, so I wasn't able to work out why this fixed my issue.