How can I access protected S3 files in a CFN script?

Question

I am trying to retrieve a file in my cloudformation script. If I make the file publicly available, then it works fine. If the file is private, then the cfn script fails, but with a 404 error in /var/log/. Trying to retrieve the file via wget results in the appropriate 403 error.

How can I retrieve private files from S3?

My file clause looks like:

    "files" : {
      "/etc/httpd/conf/httpd.conf" : { 
        "source" : "https://s3.amazonaws.com/myConfigBucket/httpd.conf"
      }
    },

I added an authentication clause and appropriate parameter:

"Parameters" : {
  "BucketRole" : {
    "Description" : "S3 role for access to bucket",
    "Type" : "String",
    "Default" : "S3Access",
    "ConstraintDescription" : "Must be a valid IAM Role"
  }
}

    "AWS::CloudFormation::Authentication": {
      "default" : {
        "type": "s3",
        "buckets": [ "myConfigBucket" ],
        "roleName": { "Ref" : "BucketRole" }
      }
    },

My IAM Role looks like:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "*"
    }
  ]
}

Answer 1

The solution is to add an IamInstanceProfile property to the instance creation:

   "Parameters" : {
     ...
     "RoleName" : {
       "Description" : "IAM Role for access to S3",
       "Type" : "String",
       "Default" : "DefaultRoleName",
       "ConstraintDescription" : "Must be a valid IAM Role"
     }
   },

   "Resources" : {
     "InstanceName" : {
       "Type" : "AWS::EC2::Instance",
       "Properties" : {
         "ImageId"             : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "64"] },
         "InstanceType"        : { "Ref" : "InstanceType" },
         "SecurityGroups"      : [ {"Ref" : "SecurityGroup"} ],
         "IamInstanceProfile"  : { "Ref" : "RoleName" },
         "KeyName"             : { "Ref" : "KeyName" }
       }
     },
     ...