search

dcppc / data-stewards

Questions and answers about TOPmed, GTEx, and AGR resources.
8 stars 0 forks source link

List of policies associated with assumed role #21

Closed gversmee closed 6 years ago

gversmee commented 6 years ago

We have successfully tested the sample python code to retrieve 'helloworld.txt' from an S3 bucket.

However, further testing has been blocked by Access Denied issues. We are unable to list objects or buckets that are available. We are looking for a list of AWS policies that are associated with this assumed role.

Is that possible? Are there policies associated with the role that would allow us to list or download objects from certain or all buckets?

Greg - Team Carbon

webermn commented 6 years ago

Hi Greg,

Thanks for the note. The way permissions have been set up is to allow s3:GetObject permissions only on tagged objects within buckets. This is because there are other contents in those same buckets (e.g., other TOPMed study data files that are not approved for Tier 1a access), and it was important to keep bucket structures consistent since we have multiple copies of data across cloud environments and will be doing updates that will require synchronization, etc. over time.

For this reason, listing all the objects in a given bucket not supported, so the "Access Denied" issue reported is expected behavior. You should be able to get to those files referenced in the file lists that were shared over email, but you'll need to specify the path(s).

I hope this answers your question. Please feel free to provide feedback on this issue, and if you'd like to chat with the NHLBI team here who administers the AWS environment to learn more, I'd be happy to set something up!

Best, Nick

gversmee commented 6 years ago

Hi Nick, thank you, I have been able to access the data and to transfer files to our own s3. If others are interested, I attach the lambda function to upload helloworld.txt to your own s3. As a suggestion, what about replacing the helloworld file by the list of the files that you shared by email? It would be an easy way to access it.


import boto3

def lambda_handler(event, context):
    client = boto3.client('sts')
    # insert the arn for role to be assumed in the NIH account.
    rolearn = 'arn:aws:iam::************:role/*****************'
    assumeRoleObject = response = client.assume_role(RoleArn=rolearn, RoleSessionName ='NIH-Test', DurationSeconds=900 )
    credentials = assumeRoleObject['Credentials']

    nih = boto3.client('s3',aws_access_key_id = credentials['AccessKeyId'],
    aws_secret_access_key = credentials['SecretAccessKey'],
    aws_session_token = credentials['SessionToken'])

    responseText = nih.get_object(Bucket='nih-nhlbi-datacommons',Key='helloworld.txt')
    print (responseText['Body'].read().decode('utf-8'))

    hms = boto3.resource('s3')
    hms.Bucket('your-bucket').put_object(Body=responseText['Body'].read(), Key='helloworld.txt')

    return 'success'