search

aws-quickstart / quickstart-microsoft-activedirectory

AWS Quick Start Team
Apache License 2.0
114 stars 113 forks source link

Read-S3Object : Access Denied on AD module scripts #152

Open fortran01 opened 1 year ago

fortran01 commented 1 year ago

I am still getting the an issue in the following line. It also occurs for Module-AD.psm1.

https://github.com/aws-quickstart/quickstart-microsoft-activedirectory/blob/550c741099502a15f555ee2c2fabefab69f7969e/templates/ad-1.template.yaml#L637

This block from Module-AD.psm1 is also affected. The error looks like Failed to read and download GPO from S3 Access Denied.

        Write-Output 'Downloading GPO Zip File'
        Try {
            $Null = Read-S3Object -BucketName $S3BucketName -Key "$($S3KeyPrefix)scripts/GPOs.zip" -File 'C:\AWSQuickstart\GPOs.zip' -Region $S3BucketRegion
        } Catch [System.Exception] {
            Write-Output "Failed to read and download GPO from S3 $_"
            Exit 1
        }

It appears to be related or similar to the issue here https://github.com/aws-quickstart/quickstart-microsoft-activedirectory/issues/62.

PS C:\Windows\system32> Read-S3Object -BucketName "aws-quickstart" -Key "quickstart-microsoft-activedirectory/scripts/Modules/Module-AD/Module-AD.psd1" -File "C:\AWSQuickstart\Module-AD\Module-AD.psd1" -Region "us-east-1"
Read-S3Object : Access Denied

It works with my own custom bucket.

fortran01 commented 1 year ago

My guess is the ACL for these objects is configured Read for "Authenticated users group (anyone with an AWS account)", instead of "Everyone (public access)".