Problems using IAM role

seporaitis / yum-s3-iam

Yum package manager plugin for private S3 repositories. Uses Amazon IAM & EC2 Roles.

Apache License 2.0

162 stars 99 forks source link

Problems using IAM role #57

Closed bendavies closed 6 years ago

bendavies commented 7 years ago

Hey there!

I'm trying to use this plugin (latest master commit) on an EC2 instances, authenticating via IAM role. The plugin/yum gives this error, however:

Error: Cannot retrieve repository metadata (repomd.xml) for repository: foo. Please verify its path and try again

The auth/IAM role seems fine, as I can run

aws s3 ls s3://bucket-url/path

on the instance without problem.

Any idea how i might debug the issue? I was looking at the plugin to see if i could enable logging, but no such luck.

Thanks!

mbrossard commented 7 years ago

Hi,

I missed this message. Can you tell us the URL you've used in the configuration? Have you tried the different URL forms? Some regions need to use v4 signature and for that we need to know the region.

bendavies commented 7 years ago

Hey @mbrossard. Thanks for the reply! I'll give this a try again this week. It's been a while!

bendavies commented 7 years ago

@mbrossard btw, what URL forms do you suggest I try? Thanks!

mbrossard commented 7 years ago

Try the path-style URL: https://s3-<aws-region>.amazonaws.com/<bucket>/<path> If the S3 bucket is in us-east-1 region, you have to use https://s3.amazonaws.com/<bucket>/<path>

The region in the URL always refers to the region where the bucket is located.

mchodson commented 7 years ago

I have the same issue. If I add aws credentials to my ec2 instance this works fine. but if i use iam role i get "The requested URL returned error: 403 Forbidden".

mbrossard commented 7 years ago

In both cases you can check that using the instance profile (or the same credentials used in the configuration):

aws s3 cp s3://<bucket>/<path>/repodata/repomd.xml .

bendavies commented 7 years ago

apologies @mbrossard, i still mean to look at this. I'm just super busy right now.

bendavies commented 6 years ago

hey there again @mbrossard, I've just started looking at this again.

It seems i can now install via the plugin, (for some unknown reason, i've changed nothing), but the following doesn't work.

yum --disablerepo "*" --enablerepo "foo" list available
Loaded plugins: fastestmirror, presto, s3iam, security
Loading mirror speeds from cached hostfile

no packages are listed, but they are there! Any ideas?

Thanks

bendavies commented 6 years ago

ok, i'm an idiot :-) list available won't list currently installed packages.

I think we're good!