starred/s3fs-fuse
1
0
Fork 0
mirror of https://github.com/s3fs-fuse/s3fs-fuse.git synced 2026-04-25 13:26:00 +03:00
Code Issues 305 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #1743] Cross account mounting bucket on EC2 instance via iam role got 403 denied #896

New issue
Open
opened 2026-03-04 01:49:44 +03:00 by kerem · 3 comments
kerem commented 2026-03-04 01:49:44 +03:00
Owner
Copy link

Originally created by @coolthluo on GitHub (Aug 17, 2021).
Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/1743

Additional Information

The following information is very important in order to help us to help you. Omission of the following details may delay your support request or receive no attention at all.
Keep in mind that the commands we provide to retrieve information are oriented to GNU/Linux Distributions, so you could need to use others if you use s3fs on macOS or BSD

Version of s3fs being used (s3fs --version)

_example: 1.89

Version of fuse being used (pkg-config --modversion fuse, rpm -qi fuse, dpkg -s fuse)

_example: 2.9.2

Kernel information (uname -r)

_command result: 4.14.238-182.422.amzn2.x86_64

GNU/Linux Distribution, if applicable (cat /etc/os-release)

command result: cat /etc/os-release

s3fs command line used, if applicable

sudo s3fs -f -d -o dbglevel=info -o curldbg -o allow_other -o iam_role -o url=https://s3.us-east-1.amazonaws.com xxx-s3fs-test /home/s3fs/s3-drive/

/etc/fstab entry, if applicable

N/A

s3fs syslog messages (grep s3fs /var/log/syslog, journalctl | grep s3fs, or s3fs outputs)

if you execute s3fs with dbglevel, curldbg option, you can get detail debug messages

2021-08-17T00:51:19.349Z [INF]       curl_util.cpp:prepare_url(250): URL is https://s3.us-east-1.amazonaws.com/xxx-s3fs-test/
2021-08-17T00:51:19.349Z [INF]       curl_util.cpp:prepare_url(283): URL changed is https://xxx-s3fs-test.s3.us-east-1.amazonaws.com/
2021-08-17T00:51:19.349Z [CURL DBG] * Found bundle for host xxx-s3fs-test.s3.us-east-1.amazonaws.com: 0x7f56ec00bf90 [can pipeline]
2021-08-17T00:51:19.349Z [CURL DBG] * Re-using existing connection! (#3) with host xxx-s3fs-test.s3.us-east-1.amazonaws.com
2021-08-17T00:51:19.349Z [CURL DBG] * Connected to xxx-s3fs-test.s3.us-east-1.amazonaws.com (52.217.39.144) port 443 (#3)
2021-08-17T00:51:19.349Z [CURL DBG] > GET / HTTP/1.1
2021-08-17T00:51:19.349Z [CURL DBG] > Host: xxx-s3fs-test.s3.us-east-1.amazonaws.com
2021-08-17T00:51:19.349Z [CURL DBG] > User-Agent: s3fs/1.89 (commit hash unknown; OpenSSL)
2021-08-17T00:51:19.349Z [CURL DBG] > Accept: */*
2021-08-17T00:51:19.349Z [CURL DBG] > Authorization: AWS ASIA4SAZRVPP57LXT3OI:1AzHQGj3ji4vPZ6Pxbl3aDtbQP8=
2021-08-17T00:51:19.349Z [CURL DBG] > Date: Tue, 17 Aug 2021 00:51:19 GMT
2021-08-17T00:51:19.349Z [CURL DBG] > x-amz-security-token: IQoJb3JpZ2luX2VjEEEaCXVzLWVhc3QtMSJHMEUCIHKRE5MS9RUGHUaFTHdEP9Q15UIj+yLXi8RQXIzTm87QAiEA1zPpBMPG/Jjxf6vL2wL8DJxx+wOFS2HJxt/x4CtU6vAq+gMIaRACGgw4NjMzNDIwMTM0MDciDE3smhSEdtZTOjbCHirXAyB7i8BnhQAaeJOdqwQfD6+2WNPVka2ZeKpsiCi15H0MLt+80qHTvQJu3QVKuX8CjDnInoKUBK2Wdw4Dd+tVC3Tkw5STbBmpwgFLCiHc67IjSpCNEAs7XnxPAE28iXNui3gEQDDhhtnYUETZSMBzbpk88CZDvFh5pqlq3lvDKqAFLPyHew8eB3QEUdl7Onowj3IcyJBDIFCdVGKTGn+U6RP0g09hQc5OisHV1/UbWq+SpiBd6fZ8f65iUi2v5kRna0Zcqa9ID4FC3XPwyQABHnzshfawp38NpUKPltra8ALTtHi/HV7+VryDbIZycbdrI/QfrFCots7dn7uWw9eHDwLTUUYBWm0uvNJtiaZnxfTUmHoYga7hsAmA5gwSGtbCMSzVCn7GLYfSqALXM1HTpLUqSul2ufRjdaVNtsa4upWt1L7SExcJCCvd4xIrH7eY29Z85sh79e7ChxPtz4+vjSrb20OSlV/4PDVvSFrvcf5E455r+CqFGQGwYrKP2KFz9HGgiX5c1ybTQOaRLVcKzJhnSRI93WmkEekCfO15vptXEBH3+wdM/s6Bjtm7HYeFzjrwFrg7ZczM25p8p9Fw6G6sVa96ychJ57xUvcs/TeYbxQ9gDwKl+DD+/uuIBjqlAQmWi8fGk7bHYtM7aCvS0DAj7X7ScUhHVSo/Xvj+vjOxX3vadJb51ZT29NYmHrYlvolXoGYWS0XRwyBdWJyZ4wzEQKWbX3S139TzhKhCnEec0DhVWLxAM/2/aa8Npwlp2wtr9tKKsGoN2txe5kohrQgmevLsxjz9uZjUbKrlnh0Fjmier8Hd8VAzL0c15B43eFQtlODmYQckNSWLlyXepxPCPQSOVA==
2021-08-17T00:51:19.349Z [CURL DBG] > 
2021-08-17T00:51:19.363Z [CURL DBG] < HTTP/1.1 403 Forbidden
2021-08-17T00:51:19.363Z [CURL DBG] < x-amz-bucket-region: us-east-1
2021-08-17T00:51:19.363Z [CURL DBG] < x-amz-request-id: 4RMCK8G7GHMDSRAZ
2021-08-17T00:51:19.363Z [CURL DBG] < x-amz-id-2: G9hFGGX0VODKsidUt61OlK8RxP6rtRa1bjQHgJKTChohF/+4SerehIRBj+HO+oT2T1eD+aT6jww=
2021-08-17T00:51:19.363Z [CURL DBG] < Content-Type: application/xml
2021-08-17T00:51:19.363Z [CURL DBG] < Transfer-Encoding: chunked
2021-08-17T00:51:19.363Z [CURL DBG] < Date: Tue, 17 Aug 2021 00:51:19 GMT
2021-08-17T00:51:19.363Z [CURL DBG] < Server: AmazonS3
2021-08-17T00:51:19.363Z [CURL DBG] < 
2021-08-17T00:51:19.363Z [CURL DBG] * Connection #3 to host xxx-s3fs-test.s3.us-east-1.amazonaws.com left intact
2021-08-17T00:51:19.363Z [ERR] curl.cpp:RequestPerform(2324): HTTP response code 403, returning EPERM. Body Text: <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>4RMCK8G7GHMDSRAZ</RequestId><HostId>G9hFGGX0VODKsidUt61OlK8RxP6rtRa1bjQHgJKTChohF/+4SerehIRBj+HO+oT2T1eD+aT6jww=</HostId></Error>
2021-08-17T00:51:19.363Z [ERR] curl.cpp:CheckBucket(3396): Check bucket failed, S3 response: <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>4RMCK8G7GHMDSRAZ</RequestId><HostId>G9hFGGX0VODKsidUt61OlK8RxP6rtRa1bjQHgJKTChohF/+4SerehIRBj+HO+oT2T1eD+aT6jww=</HostId></Error>
2021-08-17T00:51:19.363Z [CRT] s3fs.cpp:s3fs_check_service(3517): invalid credentials(host=https://s3.us-east-1.amazonaws.com) - result of checking service.
2021-08-17T00:51:19.363Z [ERR] s3fs.cpp:s3fs_exit_fuseloop(3321): Exiting FUSE event loop due to errors

2021-08-17T00:51:19.394Z [INF] s3fs.cpp:s3fs_destroy(3389): destroy
[S3fsAdmin@ip-198-19-174-126 ~]$ clear

[S3fsAdmin@ip-198-19-174-126 ~]$ sudo s3fs -f -d -o dbglevel=info -o curldbg -o allow_other -o iam_role -o url=https://s3.us-east-1.amazonaws.com xxx-s3fs-test /home/S3fsAdmin/s3-drive/
2021-08-17T00:51:23.318Z [CRT] s3fs_logger.cpp:LowSetLogLevel(219): change debug level from [CRT] to [INF] 
2021-08-17T00:51:23.318Z [INF]     s3fs.cpp:set_mountpoint_attribute(4020): PROC(uid=0, gid=0) - MountPoint(uid=1001, gid=1001, mode=40775)
2021-08-17T00:51:23.320Z [INF] curl.cpp:InitMimeType(436): Loaded mime information from /etc/mime.types
2021-08-17T00:51:23.320Z [INF] fdcache_stat.cpp:CheckCacheFileStatTopDir(79): The path to cache top dir is empty, thus not need to check permission.
2021-08-17T00:51:23.323Z [INF] s3fs.cpp:s3fs_init(3331): init v1.89(commit:unknown) with OpenSSL
2021-08-17T00:51:23.323Z [INF]       curl.cpp:LoadIAMRoleFromMetaData(2881): Get IAM Role name
2021-08-17T00:51:23.323Z [CURL DBG] *   Trying 169.254.169.254...
2021-08-17T00:51:23.323Z [CURL DBG] * TCP_NODELAY set
2021-08-17T00:51:23.323Z [CURL DBG] * Connected to 169.254.169.254 (169.254.169.254) port 80 (#0)
2021-08-17T00:51:23.323Z [CURL DBG] > GET /latest/meta-data/iam/security-credentials/ HTTP/1.1
2021-08-17T00:51:23.323Z [CURL DBG] > Host: 169.254.169.254
2021-08-17T00:51:23.323Z [CURL DBG] > User-Agent: s3fs/1.89 (commit hash unknown; OpenSSL)
2021-08-17T00:51:23.323Z [CURL DBG] > Accept: */*
2021-08-17T00:51:23.323Z [CURL DBG] > 
2021-08-17T00:51:23.324Z [CURL DBG] * HTTP 1.0, assume close after body
2021-08-17T00:51:23.324Z [CURL DBG] < HTTP/1.0 200 OK
2021-08-17T00:51:23.324Z [CURL DBG] < Accept-Ranges: bytes
2021-08-17T00:51:23.324Z [CURL DBG] < Content-Length: 26
2021-08-17T00:51:23.324Z [CURL DBG] < Content-Type: text/plain
2021-08-17T00:51:23.324Z [CURL DBG] < Date: Tue, 17 Aug 2021 00:51:23 GMT
2021-08-17T00:51:23.324Z [CURL DBG] < Last-Modified: Tue, 17 Aug 2021 00:14:54 GMT
2021-08-17T00:51:23.324Z [CURL DBG] < Connection: close
2021-08-17T00:51:23.324Z [CURL DBG] < Server: EC2ws
2021-08-17T00:51:23.324Z [CURL DBG] < 
2021-08-17T00:51:23.324Z [CURL DBG] * Closing connection 0
2021-08-17T00:51:23.324Z [INF]       curl.cpp:RequestPerform(2287): HTTP response code 200
2021-08-17T00:51:23.325Z [INF]       curl.cpp:SetIAMRoleFromMetaData(1773): IAM role name response = "xxxxxxxRole"
2021-08-17T00:51:23.325Z [INF] s3fs.cpp:s3fs_init(3348): loaded IAM role name = xxxxxxxRole
2021-08-17T00:51:23.325Z [INF] curl_handlerpool.cpp:ReturnHandler(110): Pool full: destroy the oldest handler
2021-08-17T00:51:23.325Z [INF] s3fs.cpp:s3fs_check_service(3447): check services.
2021-08-17T00:51:23.325Z [INF] curl.cpp:CheckIAMCredentialUpdate(1741): IAM Access Token refreshing...
2021-08-17T00:51:23.325Z [INF]       curl.cpp:GetIAMCredentials(2784): [IAM role=xxxxxxxRole]
2021-08-17T00:51:23.325Z [CURL DBG] * Hostname 169.254.169.254 was found in DNS cache
2021-08-17T00:51:23.325Z [CURL DBG] *   Trying 169.254.169.254...
2021-08-17T00:51:23.325Z [CURL DBG] * TCP_NODELAY set
2021-08-17T00:51:23.325Z [CURL DBG] * Connected to 169.254.169.254 (169.254.169.254) port 80 (#1)
2021-08-17T00:51:23.325Z [CURL DBG] > PUT /latest/api/token HTTP/1.1
2021-08-17T00:51:23.325Z [CURL DBG] > Host: 169.254.169.254
2021-08-17T00:51:23.325Z [CURL DBG] > User-Agent: s3fs/1.89 (commit hash unknown; OpenSSL)
2021-08-17T00:51:23.325Z [CURL DBG] > Accept: */*
2021-08-17T00:51:23.325Z [CURL DBG] > Transfer-Encoding: chunked
2021-08-17T00:51:23.325Z [CURL DBG] > X-aws-ec2-metadata-token-ttl-seconds: 21600
2021-08-17T00:51:23.325Z [CURL DBG] > Expect: 100-continue
2021-08-17T00:51:23.325Z [CURL DBG] > 
2021-08-17T00:51:23.325Z [CURL DBG] * HTTP 1.0, assume close after body
2021-08-17T00:51:23.325Z [CURL DBG] < HTTP/1.0 417 Expectation Failed
2021-08-17T00:51:23.325Z [CURL DBG] < Content-Type: text/html
2021-08-17T00:51:23.325Z [CURL DBG] < Content-Length: 363
2021-08-17T00:51:23.325Z [CURL DBG] < Connection: close
2021-08-17T00:51:23.325Z [CURL DBG] < Date: Tue, 17 Aug 2021 00:51:23 GMT
2021-08-17T00:51:23.326Z [CURL DBG] < Server: EC2ws
2021-08-17T00:51:23.326Z [CURL DBG] < 
2021-08-17T00:51:23.326Z [CURL DBG] * Closing connection 1
2021-08-17T00:51:23.326Z [ERR] curl.cpp:RequestPerform(2353): HTTP response code 417, returning EIO. Body Text: <?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
  <title>417 - Expectation Failed</title>
 </head>
 <body>
  <h1>417 - Expectation Failed</h1>
 </body>
</html>

2021-08-17T00:51:23.326Z [ERR] curl.cpp:GetIAMCredentials(2821): AWS IMDSv2 token retrieval failed: -5
2021-08-17T00:51:23.326Z [CURL DBG] * Hostname 169.254.169.254 was found in DNS cache
2021-08-17T00:51:23.326Z [CURL DBG] *   Trying 169.254.169.254...
2021-08-17T00:51:23.326Z [CURL DBG] * TCP_NODELAY set
2021-08-17T00:51:23.326Z [CURL DBG] * Connected to 169.254.169.254 (169.254.169.254) port 80 (#2)
2021-08-17T00:51:23.326Z [CURL DBG] > GET /latest/meta-data/iam/security-credentials/xxxxxxxRole
 HTTP/1.1
2021-08-17T00:51:23.326Z [CURL DBG] > Host: 169.254.169.254
2021-08-17T00:51:23.326Z [CURL DBG] > User-Agent: s3fs/1.89 (commit hash unknown; OpenSSL)
2021-08-17T00:51:23.326Z [CURL DBG] > Accept: */*
2021-08-17T00:51:23.326Z [CURL DBG] > 
2021-08-17T00:51:23.327Z [CURL DBG] * HTTP 1.0, assume close after body
2021-08-17T00:51:23.327Z [CURL DBG] < HTTP/1.0 200 OK
2021-08-17T00:51:23.327Z [CURL DBG] < Accept-Ranges: bytes
2021-08-17T00:51:23.327Z [CURL DBG] < Content-Length: 1298
2021-08-17T00:51:23.327Z [CURL DBG] < Content-Type: text/plain
2021-08-17T00:51:23.327Z [CURL DBG] < Date: Tue, 17 Aug 2021 00:51:23 GMT
2021-08-17T00:51:23.327Z [CURL DBG] < Last-Modified: Tue, 17 Aug 2021 00:14:54 GMT
2021-08-17T00:51:23.327Z [CURL DBG] < Connection: close
2021-08-17T00:51:23.327Z [CURL DBG] < Server: EC2ws
2021-08-17T00:51:23.327Z [CURL DBG] < 
2021-08-17T00:51:23.327Z [CURL DBG] * Closing connection 2
2021-08-17T00:51:23.327Z [INF]       curl.cpp:RequestPerform(2287): HTTP response code 200
2021-08-17T00:51:23.327Z [INF]       curl.cpp:SetIAMCredentials(1705): IAM credential response = "{
  "Code" : "Success",
  "LastUpdated" : "2021-08-17T00:15:01Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "ASIA4SAZRVPP57LXT3OI",
  "SecretAccessKey" : "y1WAMLmSXgQ40CV7WjXkBW6OkjQvIBPrK8dWTAnE",
  "Token" : "IQoJb3JpZ2luX2VjEEEaCXVzLWVhc3QtMSJHMEUCIHKRE5MS9RUGHUaFTHdEP9Q15UIj+yLXi8RQXIzTm87QAiEA1zPpBMPG/Jjxf6vL2wL8DJxx+wOFS2HJxt/x4CtU6vAq+gMIaRACGgw4NjMzNDIwMTM0MDciDE3smhSEdtZTOjbCHirXAyB7i8BnhQAaeJOdqwQfD6+2WNPVka2ZeKpsiCi15H0MLt+80qHTvQJu3QVKuX8CjDnInoKUBK2Wdw4Dd+tVC3Tkw5STbBmpwgFLCiHc67IjSpCNEAs7XnxPAE28iXNui3gEQDDhhtnYUETZSMBzbpk88CZDvFh5pqlq3lvDKqAFLPyHew8eB3QEUdl7Onowj3IcyJBDIFCdVGKTGn+U6RP0g09hQc5OisHV1/UbWq+SpiBd6fZ8f65iUi2v5kRna0Zcqa9ID4FC3XPwyQABHnzshfawp38NpUKPltra8ALTtHi/HV7+VryDbIZycbdrI/QfrFCots7dn7uWw9eHDwLTUUYBWm0uvNJtiaZnxfTUmHoYga7hsAmA5gwSGtbCMSzVCn7GLYfSqALXM1HTpLUqSul2ufRjdaVNtsa4upWt1L7SExcJCCvd4xIrH7eY29Z85sh79e7ChxPtz4+vjSrb20OSlV/4PDVvSFrvcf5E455r+CqFGQGwYrKP2KFz9HGgiX5c1ybTQOaRLVcKzJhnSRI93WmkEekCfO15vptXEBH3+wdM/s6Bjtm7HYeFzjrwFrg7ZczM25p8p9Fw6G6sVa96ychJ57xUvcs/TeYbxQ9gDwKl+DD+/uuIBjqlAQmWi8fGk7bHYtM7aCvS0DAj7X7ScUhHVSo/Xvj+vjOxX3vadJb51ZT29NYmHrYlvolXoGYWS0XRwyBdWJyZ4wzEQKWbX3S139TzhKhCnEec0DhVWLxAM/2/aa8Npwlp2wtr9tKKsGoN2txe5kohrQgmevLsxjz9uZjUbKrlnh0Fjmier8Hd8VAzL0c15B43eFQtlODmYQckNSWLlyXepxPCPQSOVA==",
  "Expiration" : "2021-08-17T06:44:53Z"
}"
2021-08-17T00:51:23.327Z [INF] curl.cpp:CheckIAMCredentialUpdate(1748): IAM Access Token refreshed
2021-08-17T00:51:23.327Z [INF]       curl.cpp:CheckBucket(3364): check a bucket.
2021-08-17T00:51:23.327Z [INF]       curl_util.cpp:prepare_url(250): URL is https://s3.us-east-1.amazonaws.com/xxx-s3fs-test/
2021-08-17T00:51:23.327Z [INF]       curl_util.cpp:prepare_url(283): URL changed is https://xxx-s3fs-test.s3.us-east-1.amazonaws.com/
2021-08-17T00:51:23.327Z [INF]       curl.cpp:insertV4Headers(2640): computing signature [GET] [/] [] []
2021-08-17T00:51:23.328Z [INF]       curl_util.cpp:url_to_host(327): url is https://s3.us-east-1.amazonaws.com
2021-08-17T00:51:23.336Z [CURL DBG] *   Trying 52.217.205.130...
2021-08-17T00:51:23.336Z [CURL DBG] * TCP_NODELAY set
2021-08-17T00:51:23.343Z [CURL DBG] * Connected to xxx-s3fs-test.s3.us-east-1.amazonaws.com (52.217.205.130) port 443 (#3)
2021-08-17T00:51:23.344Z [CURL DBG] * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
2021-08-17T00:51:23.350Z [CURL DBG] * successfully set certificate verify locations:
2021-08-17T00:51:23.350Z [CURL DBG] *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
2021-08-17T00:51:23.350Z [CURL DBG] * TLSv1.2 (OUT), TLS header, Certificate Status (22):
2021-08-17T00:51:23.350Z [CURL DBG] * TLSv1.2 (OUT), TLS handshake, Client hello (1):
2021-08-17T00:51:23.351Z [CURL DBG] * TLSv1.2 (IN), TLS handshake, Server hello (2):
2021-08-17T00:51:23.351Z [CURL DBG] * TLSv1.2 (IN), TLS handshake, Certificate (11):
2021-08-17T00:51:23.351Z [CURL DBG] * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
2021-08-17T00:51:23.351Z [CURL DBG] * TLSv1.2 (IN), TLS handshake, Server finished (14):
2021-08-17T00:51:23.352Z [CURL DBG] * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
2021-08-17T00:51:23.352Z [CURL DBG] * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
2021-08-17T00:51:23.352Z [CURL DBG] * TLSv1.2 (OUT), TLS handshake, Finished (20):
2021-08-17T00:51:23.353Z [CURL DBG] * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
2021-08-17T00:51:23.353Z [CURL DBG] * TLSv1.2 (IN), TLS handshake, Finished (20):
2021-08-17T00:51:23.353Z [CURL DBG] * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
2021-08-17T00:51:23.353Z [CURL DBG] * Server certificate:
2021-08-17T00:51:23.353Z [CURL DBG] *  subject: C=US; ST=Washington; L=Seattle; O=Amazon.com, Inc.; CN=s3.amazonaws.com
2021-08-17T00:51:23.353Z [CURL DBG] *  start date: Jun 23 00:00:00 2021 GMT
2021-08-17T00:51:23.353Z [CURL DBG] *  expire date: Jul 24 23:59:59 2022 GMT
2021-08-17T00:51:23.353Z [CURL DBG] *  subjectAltName: host "xxx-s3fs-test.s3.us-east-1.amazonaws.com" matched cert's "*.s3.us-east-1.amazonaws.com"
2021-08-17T00:51:23.353Z [CURL DBG] *  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert Baltimore CA-2 G2
2021-08-17T00:51:23.353Z [CURL DBG] *  SSL certificate verify ok.
2021-08-17T00:51:23.353Z [CURL DBG] > GET / HTTP/1.1
2021-08-17T00:51:23.353Z [CURL DBG] > Host: xxx-s3fs-test.s3.us-east-1.amazonaws.com
2021-08-17T00:51:23.353Z [CURL DBG] > User-Agent: s3fs/1.89 (commit hash unknown; OpenSSL)
2021-08-17T00:51:23.353Z [CURL DBG] > Accept: */*
2021-08-17T00:51:23.353Z [CURL DBG] > Authorization: AWS4-HMAC-SHA256 Credential=ASIA4SAZRVPP57LXT3OI/20210817/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=c970107d23a4574f7ce223bb655380a0229d26c22695c27c14c5d06f8847ea11
2021-08-17T00:51:23.353Z [CURL DBG] > x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
2021-08-17T00:51:23.353Z [CURL DBG] > x-amz-date: 20210817T005123Z
2021-08-17T00:51:23.353Z [CURL DBG] > x-amz-security-token: IQoJb3JpZ2luX2VjEEEaCXVzLWVhc3QtMSJHMEUCIHKRE5MS9RUGHUaFTHdEP9Q15UIj+yLXi8RQXIzTm87QAiEA1zPpBMPG/Jjxf6vL2wL8DJxx+wOFS2HJxt/x4CtU6vAq+gMIaRACGgw4NjMzNDIwMTM0MDciDE3smhSEdtZTOjbCHirXAyB7i8BnhQAaeJOdqwQfD6+2WNPVka2ZeKpsiCi15H0MLt+80qHTvQJu3QVKuX8CjDnInoKUBK2Wdw4Dd+tVC3Tkw5STbBmpwgFLCiHc67IjSpCNEAs7XnxPAE28iXNui3gEQDDhhtnYUETZSMBzbpk88CZDvFh5pqlq3lvDKqAFLPyHew8eB3QEUdl7Onowj3IcyJBDIFCdVGKTGn+U6RP0g09hQc5OisHV1/UbWq+SpiBd6fZ8f65iUi2v5kRna0Zcqa9ID4FC3XPwyQABHnzshfawp38NpUKPltra8ALTtHi/HV7+VryDbIZycbdrI/QfrFCots7dn7uWw9eHDwLTUUYBWm0uvNJtiaZnxfTUmHoYga7hsAmA5gwSGtbCMSzVCn7GLYfSqALXM1HTpLUqSul2ufRjdaVNtsa4upWt1L7SExcJCCvd4xIrH7eY29Z85sh79e7ChxPtz4+vjSrb20OSlV/4PDVvSFrvcf5E455r+CqFGQGwYrKP2KFz9HGgiX5c1ybTQOaRLVcKzJhnSRI93WmkEekCfO15vptXEBH3+wdM/s6Bjtm7HYeFzjrwFrg7ZczM25p8p9Fw6G6sVa96ychJ57xUvcs/TeYbxQ9gDwKl+DD+/uuIBjqlAQmWi8fGk7bHYtM7aCvS0DAj7X7ScUhHVSo/Xvj+vjOxX3vadJb51ZT29NYmHrYlvolXoGYWS0XRwyBdWJyZ4wzEQKWbX3S139TzhKhCnEec0DhVWLxAM/2/aa8Npwlp2wtr9tKKsGoN2txe5kohrQgmevLsxjz9uZjUbKrlnh0Fjmier8Hd8VAzL0c15B43eFQtlODmYQckNSWLlyXepxPCPQSOVA==
2021-08-17T00:51:23.353Z [CURL DBG] > 
2021-08-17T00:51:23.378Z [CURL DBG] < HTTP/1.1 403 Forbidden
2021-08-17T00:51:23.378Z [CURL DBG] < x-amz-bucket-region: us-east-1
2021-08-17T00:51:23.378Z [CURL DBG] < x-amz-request-id: G7YTHSEVSTNQ1WZN
2021-08-17T00:51:23.378Z [CURL DBG] < x-amz-id-2: 8KqBmBh0n/zqDxJJD+tqV7tNwDUBe2NTmu7zv3Cnt0+P6N58w7LIYgmR0NCqjmPds4kkdjAltSU=
2021-08-17T00:51:23.378Z [CURL DBG] < Content-Type: application/xml
2021-08-17T00:51:23.378Z [CURL DBG] < Transfer-Encoding: chunked
2021-08-17T00:51:23.378Z [CURL DBG] < Date: Tue, 17 Aug 2021 00:51:23 GMT
2021-08-17T00:51:23.378Z [CURL DBG] < Server: AmazonS3
2021-08-17T00:51:23.378Z [CURL DBG] < 
2021-08-17T00:51:23.378Z [CURL DBG] * Connection #3 to host xxx-s3fs-test.s3.us-east-1.amazonaws.com left intact
2021-08-17T00:51:23.378Z [ERR] curl.cpp:RequestPerform(2324): HTTP response code 403, returning EPERM. Body Text: <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>G7YTHSEVSTNQ1WZN</RequestId><HostId>8KqBmBh0n/zqDxJJD+tqV7tNwDUBe2NTmu7zv3Cnt0+P6N58w7LIYgmR0NCqjmPds4kkdjAltSU=</HostId></Error>
2021-08-17T00:51:23.378Z [ERR] curl.cpp:CheckBucket(3396): Check bucket failed, S3 response: <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>G7YTHSEVSTNQ1WZN</RequestId><HostId>8KqBmBh0n/zqDxJJD+tqV7tNwDUBe2NTmu7zv3Cnt0+P6N58w7LIYgmR0NCqjmPds4kkdjAltSU=</HostId></Error>
2021-08-17T00:51:23.378Z [CRT] s3fs.cpp:s3fs_check_service(3502): Failed to connect by sigv4, so retry to connect by signature version 2.
2021-08-17T00:51:23.378Z [INF]       curl.cpp:CheckBucket(3364): check a bucket.
2021-08-17T00:51:23.378Z [INF]       curl_util.cpp:prepare_url(250): URL is https://s3.us-east-1.amazonaws.com/xxx-s3fs-test/
2021-08-17T00:51:23.378Z [INF]       curl_util.cpp:prepare_url(283): URL changed is https://xxx-s3fs-test.s3.us-east-1.amazonaws.com/
2021-08-17T00:51:23.379Z [CURL DBG] * Found bundle for host xxx-s3fs-test.s3.us-east-1.amazonaws.com: 0x7f1aec00bf90 [can pipeline]
2021-08-17T00:51:23.379Z [CURL DBG] * Re-using existing connection! (#3) with host xxx-s3fs-test.s3.us-east-1.amazonaws.com
2021-08-17T00:51:23.379Z [CURL DBG] * Connected to xxx-s3fs-test.s3.us-east-1.amazonaws.com (52.217.205.130) port 443 (#3)
2021-08-17T00:51:23.379Z [CURL DBG] > GET / HTTP/1.1
2021-08-17T00:51:23.379Z [CURL DBG] > Host: xxx-s3fs-test.s3.us-east-1.amazonaws.com
2021-08-17T00:51:23.379Z [CURL DBG] > User-Agent: s3fs/1.89 (commit hash unknown; OpenSSL)
2021-08-17T00:51:23.379Z [CURL DBG] > Accept: */*
2021-08-17T00:51:23.379Z [CURL DBG] > Authorization: AWS ASIA4SAZRVPP57LXT3OI:Y70wASUeawprUtKxK4BbI4nr1Ec=
2021-08-17T00:51:23.379Z [CURL DBG] > Date: Tue, 17 Aug 2021 00:51:23 GMT
2021-08-17T00:51:23.379Z [CURL DBG] > x-amz-security-token: IQoJb3JpZ2luX2VjEEEaCXVzLWVhc3QtMSJHMEUCIHKRE5MS9RUGHUaFTHdEP9Q15UIj+yLXi8RQXIzTm87QAiEA1zPpBMPG/Jjxf6vL2wL8DJxx+wOFS2HJxt/x4CtU6vAq+gMIaRACGgw4NjMzNDIwMTM0MDciDE3smhSEdtZTOjbCHirXAyB7i8BnhQAaeJOdqwQfD6+2WNPVka2ZeKpsiCi15H0MLt+80qHTvQJu3QVKuX8CjDnInoKUBK2Wdw4Dd+tVC3Tkw5STbBmpwgFLCiHc67IjSpCNEAs7XnxPAE28iXNui3gEQDDhhtnYUETZSMBzbpk88CZDvFh5pqlq3lvDKqAFLPyHew8eB3QEUdl7Onowj3IcyJBDIFCdVGKTGn+U6RP0g09hQc5OisHV1/UbWq+SpiBd6fZ8f65iUi2v5kRna0Zcqa9ID4FC3XPwyQABHnzshfawp38NpUKPltra8ALTtHi/HV7+VryDbIZycbdrI/QfrFCots7dn7uWw9eHDwLTUUYBWm0uvNJtiaZnxfTUmHoYga7hsAmA5gwSGtbCMSzVCn7GLYfSqALXM1HTpLUqSul2ufRjdaVNtsa4upWt1L7SExcJCCvd4xIrH7eY29Z85sh79e7ChxPtz4+vjSrb20OSlV/4PDVvSFrvcf5E455r+CqFGQGwYrKP2KFz9HGgiX5c1ybTQOaRLVcKzJhnSRI93WmkEekCfO15vptXEBH3+wdM/s6Bjtm7HYeFzjrwFrg7ZczM25p8p9Fw6G6sVa96ychJ57xUvcs/TeYbxQ9gDwKl+DD+/uuIBjqlAQmWi8fGk7bHYtM7aCvS0DAj7X7ScUhHVSo/Xvj+vjOxX3vadJb51ZT29NYmHrYlvolXoGYWS0XRwyBdWJyZ4wzEQKWbX3S139TzhKhCnEec0DhVWLxAM/2/aa8Npwlp2wtr9tKKsGoN2txe5kohrQgmevLsxjz9uZjUbKrlnh0Fjmier8Hd8VAzL0c15B43eFQtlODmYQckNSWLlyXepxPCPQSOVA==
2021-08-17T00:51:23.379Z [CURL DBG] > 
2021-08-17T00:51:23.388Z [CURL DBG] < HTTP/1.1 403 Forbidden
2021-08-17T00:51:23.388Z [CURL DBG] < x-amz-bucket-region: us-east-1
2021-08-17T00:51:23.388Z [CURL DBG] < x-amz-request-id: G7YZRJM7GGJTB7AH
2021-08-17T00:51:23.388Z [CURL DBG] < x-amz-id-2: p9ZKAueC3nfUvhNQCGcwynRtrBoXNyaCFr3l6gxzj48cOkmPsjbda+MYRNhdP43wqbM9FLspVTM=
2021-08-17T00:51:23.388Z [CURL DBG] < Content-Type: application/xml
2021-08-17T00:51:23.388Z [CURL DBG] < Transfer-Encoding: chunked
2021-08-17T00:51:23.388Z [CURL DBG] < Date: Tue, 17 Aug 2021 00:51:23 GMT
2021-08-17T00:51:23.388Z [CURL DBG] < Server: AmazonS3
2021-08-17T00:51:23.388Z [CURL DBG] < 
2021-08-17T00:51:23.388Z [CURL DBG] * Connection #3 to host xxx-s3fs-test.s3.us-east-1.amazonaws.com left intact
2021-08-17T00:51:23.388Z [ERR] curl.cpp:RequestPerform(2324): HTTP response code 403, returning EPERM. Body Text: <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>G7YZRJM7GGJTB7AH</RequestId><HostId>p9ZKAueC3nfUvhNQCGcwynRtrBoXNyaCFr3l6gxzj48cOkmPsjbda+MYRNhdP43wqbM9FLspVTM=</HostId></Error>
2021-08-17T00:51:23.388Z [ERR] curl.cpp:CheckBucket(3396): Check bucket failed, S3 response: <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>G7YZRJM7GGJTB7AH</RequestId><HostId>p9ZKAueC3nfUvhNQCGcwynRtrBoXNyaCFr3l6gxzj48cOkmPsjbda+MYRNhdP43wqbM9FLspVTM=</HostId></Error>
2021-08-17T00:51:23.388Z [CRT] s3fs.cpp:s3fs_check_service(3517): invalid credentials(host=https://s3.us-east-1.amazonaws.com) - result of checking service.
2021-08-17T00:51:23.388Z [ERR] s3fs.cpp:s3fs_exit_fuseloop(3321): Exiting FUSE event loop due to errors

2021-08-17T00:51:23.418Z [INF] s3fs.cpp:s3fs_destroy(3389): destroy

Details about issue

Hi All

Account A: Account has destination s3 bucket.
Account B: My EC2 instance account.

I want to mount account A's s3 bucket on account B(EC2 instance).
I've followed this tutorial https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/
to set up Cross-account IAM roles.

I am able to fetch bucket info via AWS CLI aws s3 ls, which means the cross account permission setup is correct

This is my ~/.aws/config,

[default]
role_arn = arn:aws:iam::AccountA:role/AccountA-bucket-role
credential_source = Ec2InstanceMetadata
region = us-east-1
output = json

And ~/.aws/crendentials is empty

I tried to add -o profile=default but won't work.

sudo s3fs -f -d -o dbglevel=info -o curldbg -o allow_other -o iam_role -o url=https://s3.us-east-1.amazonaws.com xxx-s3fs-test /home/s3fs/s3-drive/

However I am still getting 403 access denied error when trying on mount bucket via iam role.
Is S3FS supporting this cross account assume role mount? Is there way we can force S3FS to use the default config and auth as specific role_arn? arn:aws:iam::AccountA:role/AccountA-bucket-role

I did check some issues but don't see any useful answer, looking forward for any help, thank you!

Originally created by @coolthluo on GitHub (Aug 17, 2021). Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/1743 ### Additional Information _The following information is very important in order to help us to help you. Omission of the following details may delay your support request or receive no attention at all._ _Keep in mind that the commands we provide to retrieve information are oriented to GNU/Linux Distributions, so you could need to use others if you use s3fs on macOS or BSD_ #### Version of s3fs being used (s3fs --version) _example: 1.89 #### Version of fuse being used (pkg-config --modversion fuse, rpm -qi fuse, dpkg -s fuse) _example: 2.9.2 #### Kernel information (uname -r) _command result: 4.14.238-182.422.amzn2.x86_64 #### GNU/Linux Distribution, if applicable (cat /etc/os-release) _command result: cat /etc/os-release_ #### s3fs command line used, if applicable ``` sudo s3fs -f -d -o dbglevel=info -o curldbg -o allow_other -o iam_role -o url=https://s3.us-east-1.amazonaws.com xxx-s3fs-test /home/s3fs/s3-drive/ ``` #### /etc/fstab entry, if applicable ``` N/A ``` #### s3fs syslog messages (grep s3fs /var/log/syslog, journalctl | grep s3fs, or s3fs outputs) _if you execute s3fs with dbglevel, curldbg option, you can get detail debug messages_ ``` 2021-08-17T00:51:19.349Z [INF] curl_util.cpp:prepare_url(250): URL is https://s3.us-east-1.amazonaws.com/xxx-s3fs-test/ 2021-08-17T00:51:19.349Z [INF] curl_util.cpp:prepare_url(283): URL changed is https://xxx-s3fs-test.s3.us-east-1.amazonaws.com/ 2021-08-17T00:51:19.349Z [CURL DBG] * Found bundle for host xxx-s3fs-test.s3.us-east-1.amazonaws.com: 0x7f56ec00bf90 [can pipeline] 2021-08-17T00:51:19.349Z [CURL DBG] * Re-using existing connection! (#3) with host xxx-s3fs-test.s3.us-east-1.amazonaws.com 2021-08-17T00:51:19.349Z [CURL DBG] * Connected to xxx-s3fs-test.s3.us-east-1.amazonaws.com (52.217.39.144) port 443 (#3) 2021-08-17T00:51:19.349Z [CURL DBG] > GET / HTTP/1.1 2021-08-17T00:51:19.349Z [CURL DBG] > Host: xxx-s3fs-test.s3.us-east-1.amazonaws.com 2021-08-17T00:51:19.349Z [CURL DBG] > User-Agent: s3fs/1.89 (commit hash unknown; OpenSSL) 2021-08-17T00:51:19.349Z [CURL DBG] > Accept: */* 2021-08-17T00:51:19.349Z [CURL DBG] > Authorization: AWS ASIA4SAZRVPP57LXT3OI:1AzHQGj3ji4vPZ6Pxbl3aDtbQP8= 2021-08-17T00:51:19.349Z [CURL DBG] > Date: Tue, 17 Aug 2021 00:51:19 GMT 2021-08-17T00:51:19.349Z [CURL DBG] > x-amz-security-token: IQoJb3JpZ2luX2VjEEEaCXVzLWVhc3QtMSJHMEUCIHKRE5MS9RUGHUaFTHdEP9Q15UIj+yLXi8RQXIzTm87QAiEA1zPpBMPG/Jjxf6vL2wL8DJxx+wOFS2HJxt/x4CtU6vAq+gMIaRACGgw4NjMzNDIwMTM0MDciDE3smhSEdtZTOjbCHirXAyB7i8BnhQAaeJOdqwQfD6+2WNPVka2ZeKpsiCi15H0MLt+80qHTvQJu3QVKuX8CjDnInoKUBK2Wdw4Dd+tVC3Tkw5STbBmpwgFLCiHc67IjSpCNEAs7XnxPAE28iXNui3gEQDDhhtnYUETZSMBzbpk88CZDvFh5pqlq3lvDKqAFLPyHew8eB3QEUdl7Onowj3IcyJBDIFCdVGKTGn+U6RP0g09hQc5OisHV1/UbWq+SpiBd6fZ8f65iUi2v5kRna0Zcqa9ID4FC3XPwyQABHnzshfawp38NpUKPltra8ALTtHi/HV7+VryDbIZycbdrI/QfrFCots7dn7uWw9eHDwLTUUYBWm0uvNJtiaZnxfTUmHoYga7hsAmA5gwSGtbCMSzVCn7GLYfSqALXM1HTpLUqSul2ufRjdaVNtsa4upWt1L7SExcJCCvd4xIrH7eY29Z85sh79e7ChxPtz4+vjSrb20OSlV/4PDVvSFrvcf5E455r+CqFGQGwYrKP2KFz9HGgiX5c1ybTQOaRLVcKzJhnSRI93WmkEekCfO15vptXEBH3+wdM/s6Bjtm7HYeFzjrwFrg7ZczM25p8p9Fw6G6sVa96ychJ57xUvcs/TeYbxQ9gDwKl+DD+/uuIBjqlAQmWi8fGk7bHYtM7aCvS0DAj7X7ScUhHVSo/Xvj+vjOxX3vadJb51ZT29NYmHrYlvolXoGYWS0XRwyBdWJyZ4wzEQKWbX3S139TzhKhCnEec0DhVWLxAM/2/aa8Npwlp2wtr9tKKsGoN2txe5kohrQgmevLsxjz9uZjUbKrlnh0Fjmier8Hd8VAzL0c15B43eFQtlODmYQckNSWLlyXepxPCPQSOVA== 2021-08-17T00:51:19.349Z [CURL DBG] > 2021-08-17T00:51:19.363Z [CURL DBG] < HTTP/1.1 403 Forbidden 2021-08-17T00:51:19.363Z [CURL DBG] < x-amz-bucket-region: us-east-1 2021-08-17T00:51:19.363Z [CURL DBG] < x-amz-request-id: 4RMCK8G7GHMDSRAZ 2021-08-17T00:51:19.363Z [CURL DBG] < x-amz-id-2: G9hFGGX0VODKsidUt61OlK8RxP6rtRa1bjQHgJKTChohF/+4SerehIRBj+HO+oT2T1eD+aT6jww= 2021-08-17T00:51:19.363Z [CURL DBG] < Content-Type: application/xml 2021-08-17T00:51:19.363Z [CURL DBG] < Transfer-Encoding: chunked 2021-08-17T00:51:19.363Z [CURL DBG] < Date: Tue, 17 Aug 2021 00:51:19 GMT 2021-08-17T00:51:19.363Z [CURL DBG] < Server: AmazonS3 2021-08-17T00:51:19.363Z [CURL DBG] < 2021-08-17T00:51:19.363Z [CURL DBG] * Connection #3 to host xxx-s3fs-test.s3.us-east-1.amazonaws.com left intact 2021-08-17T00:51:19.363Z [ERR] curl.cpp:RequestPerform(2324): HTTP response code 403, returning EPERM. Body Text: <?xml version="1.0" encoding="UTF-8"?> <Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>4RMCK8G7GHMDSRAZ</RequestId><HostId>G9hFGGX0VODKsidUt61OlK8RxP6rtRa1bjQHgJKTChohF/+4SerehIRBj+HO+oT2T1eD+aT6jww=</HostId></Error> 2021-08-17T00:51:19.363Z [ERR] curl.cpp:CheckBucket(3396): Check bucket failed, S3 response: <?xml version="1.0" encoding="UTF-8"?> <Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>4RMCK8G7GHMDSRAZ</RequestId><HostId>G9hFGGX0VODKsidUt61OlK8RxP6rtRa1bjQHgJKTChohF/+4SerehIRBj+HO+oT2T1eD+aT6jww=</HostId></Error> 2021-08-17T00:51:19.363Z [CRT] s3fs.cpp:s3fs_check_service(3517): invalid credentials(host=https://s3.us-east-1.amazonaws.com) - result of checking service. 2021-08-17T00:51:19.363Z [ERR] s3fs.cpp:s3fs_exit_fuseloop(3321): Exiting FUSE event loop due to errors 2021-08-17T00:51:19.394Z [INF] s3fs.cpp:s3fs_destroy(3389): destroy [S3fsAdmin@ip-198-19-174-126 ~]$ clear [S3fsAdmin@ip-198-19-174-126 ~]$ sudo s3fs -f -d -o dbglevel=info -o curldbg -o allow_other -o iam_role -o url=https://s3.us-east-1.amazonaws.com xxx-s3fs-test /home/S3fsAdmin/s3-drive/ 2021-08-17T00:51:23.318Z [CRT] s3fs_logger.cpp:LowSetLogLevel(219): change debug level from [CRT] to [INF] 2021-08-17T00:51:23.318Z [INF] s3fs.cpp:set_mountpoint_attribute(4020): PROC(uid=0, gid=0) - MountPoint(uid=1001, gid=1001, mode=40775) 2021-08-17T00:51:23.320Z [INF] curl.cpp:InitMimeType(436): Loaded mime information from /etc/mime.types 2021-08-17T00:51:23.320Z [INF] fdcache_stat.cpp:CheckCacheFileStatTopDir(79): The path to cache top dir is empty, thus not need to check permission. 2021-08-17T00:51:23.323Z [INF] s3fs.cpp:s3fs_init(3331): init v1.89(commit:unknown) with OpenSSL 2021-08-17T00:51:23.323Z [INF] curl.cpp:LoadIAMRoleFromMetaData(2881): Get IAM Role name 2021-08-17T00:51:23.323Z [CURL DBG] * Trying 169.254.169.254... 2021-08-17T00:51:23.323Z [CURL DBG] * TCP_NODELAY set 2021-08-17T00:51:23.323Z [CURL DBG] * Connected to 169.254.169.254 (169.254.169.254) port 80 (#0) 2021-08-17T00:51:23.323Z [CURL DBG] > GET /latest/meta-data/iam/security-credentials/ HTTP/1.1 2021-08-17T00:51:23.323Z [CURL DBG] > Host: 169.254.169.254 2021-08-17T00:51:23.323Z [CURL DBG] > User-Agent: s3fs/1.89 (commit hash unknown; OpenSSL) 2021-08-17T00:51:23.323Z [CURL DBG] > Accept: */* 2021-08-17T00:51:23.323Z [CURL DBG] > 2021-08-17T00:51:23.324Z [CURL DBG] * HTTP 1.0, assume close after body 2021-08-17T00:51:23.324Z [CURL DBG] < HTTP/1.0 200 OK 2021-08-17T00:51:23.324Z [CURL DBG] < Accept-Ranges: bytes 2021-08-17T00:51:23.324Z [CURL DBG] < Content-Length: 26 2021-08-17T00:51:23.324Z [CURL DBG] < Content-Type: text/plain 2021-08-17T00:51:23.324Z [CURL DBG] < Date: Tue, 17 Aug 2021 00:51:23 GMT 2021-08-17T00:51:23.324Z [CURL DBG] < Last-Modified: Tue, 17 Aug 2021 00:14:54 GMT 2021-08-17T00:51:23.324Z [CURL DBG] < Connection: close 2021-08-17T00:51:23.324Z [CURL DBG] < Server: EC2ws 2021-08-17T00:51:23.324Z [CURL DBG] < 2021-08-17T00:51:23.324Z [CURL DBG] * Closing connection 0 2021-08-17T00:51:23.324Z [INF] curl.cpp:RequestPerform(2287): HTTP response code 200 2021-08-17T00:51:23.325Z [INF] curl.cpp:SetIAMRoleFromMetaData(1773): IAM role name response = "xxxxxxxRole" 2021-08-17T00:51:23.325Z [INF] s3fs.cpp:s3fs_init(3348): loaded IAM role name = xxxxxxxRole 2021-08-17T00:51:23.325Z [INF] curl_handlerpool.cpp:ReturnHandler(110): Pool full: destroy the oldest handler 2021-08-17T00:51:23.325Z [INF] s3fs.cpp:s3fs_check_service(3447): check services. 2021-08-17T00:51:23.325Z [INF] curl.cpp:CheckIAMCredentialUpdate(1741): IAM Access Token refreshing... 2021-08-17T00:51:23.325Z [INF] curl.cpp:GetIAMCredentials(2784): [IAM role=xxxxxxxRole] 2021-08-17T00:51:23.325Z [CURL DBG] * Hostname 169.254.169.254 was found in DNS cache 2021-08-17T00:51:23.325Z [CURL DBG] * Trying 169.254.169.254... 2021-08-17T00:51:23.325Z [CURL DBG] * TCP_NODELAY set 2021-08-17T00:51:23.325Z [CURL DBG] * Connected to 169.254.169.254 (169.254.169.254) port 80 (#1) 2021-08-17T00:51:23.325Z [CURL DBG] > PUT /latest/api/token HTTP/1.1 2021-08-17T00:51:23.325Z [CURL DBG] > Host: 169.254.169.254 2021-08-17T00:51:23.325Z [CURL DBG] > User-Agent: s3fs/1.89 (commit hash unknown; OpenSSL) 2021-08-17T00:51:23.325Z [CURL DBG] > Accept: */* 2021-08-17T00:51:23.325Z [CURL DBG] > Transfer-Encoding: chunked 2021-08-17T00:51:23.325Z [CURL DBG] > X-aws-ec2-metadata-token-ttl-seconds: 21600 2021-08-17T00:51:23.325Z [CURL DBG] > Expect: 100-continue 2021-08-17T00:51:23.325Z [CURL DBG] > 2021-08-17T00:51:23.325Z [CURL DBG] * HTTP 1.0, assume close after body 2021-08-17T00:51:23.325Z [CURL DBG] < HTTP/1.0 417 Expectation Failed 2021-08-17T00:51:23.325Z [CURL DBG] < Content-Type: text/html 2021-08-17T00:51:23.325Z [CURL DBG] < Content-Length: 363 2021-08-17T00:51:23.325Z [CURL DBG] < Connection: close 2021-08-17T00:51:23.325Z [CURL DBG] < Date: Tue, 17 Aug 2021 00:51:23 GMT 2021-08-17T00:51:23.326Z [CURL DBG] < Server: EC2ws 2021-08-17T00:51:23.326Z [CURL DBG] < 2021-08-17T00:51:23.326Z [CURL DBG] * Closing connection 1 2021-08-17T00:51:23.326Z [ERR] curl.cpp:RequestPerform(2353): HTTP response code 417, returning EIO. Body Text: <?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>417 - Expectation Failed</title> </head> <body> <h1>417 - Expectation Failed</h1> </body> </html> 2021-08-17T00:51:23.326Z [ERR] curl.cpp:GetIAMCredentials(2821): AWS IMDSv2 token retrieval failed: -5 2021-08-17T00:51:23.326Z [CURL DBG] * Hostname 169.254.169.254 was found in DNS cache 2021-08-17T00:51:23.326Z [CURL DBG] * Trying 169.254.169.254... 2021-08-17T00:51:23.326Z [CURL DBG] * TCP_NODELAY set 2021-08-17T00:51:23.326Z [CURL DBG] * Connected to 169.254.169.254 (169.254.169.254) port 80 (#2) 2021-08-17T00:51:23.326Z [CURL DBG] > GET /latest/meta-data/iam/security-credentials/xxxxxxxRole HTTP/1.1 2021-08-17T00:51:23.326Z [CURL DBG] > Host: 169.254.169.254 2021-08-17T00:51:23.326Z [CURL DBG] > User-Agent: s3fs/1.89 (commit hash unknown; OpenSSL) 2021-08-17T00:51:23.326Z [CURL DBG] > Accept: */* 2021-08-17T00:51:23.326Z [CURL DBG] > 2021-08-17T00:51:23.327Z [CURL DBG] * HTTP 1.0, assume close after body 2021-08-17T00:51:23.327Z [CURL DBG] < HTTP/1.0 200 OK 2021-08-17T00:51:23.327Z [CURL DBG] < Accept-Ranges: bytes 2021-08-17T00:51:23.327Z [CURL DBG] < Content-Length: 1298 2021-08-17T00:51:23.327Z [CURL DBG] < Content-Type: text/plain 2021-08-17T00:51:23.327Z [CURL DBG] < Date: Tue, 17 Aug 2021 00:51:23 GMT 2021-08-17T00:51:23.327Z [CURL DBG] < Last-Modified: Tue, 17 Aug 2021 00:14:54 GMT 2021-08-17T00:51:23.327Z [CURL DBG] < Connection: close 2021-08-17T00:51:23.327Z [CURL DBG] < Server: EC2ws 2021-08-17T00:51:23.327Z [CURL DBG] < 2021-08-17T00:51:23.327Z [CURL DBG] * Closing connection 2 2021-08-17T00:51:23.327Z [INF] curl.cpp:RequestPerform(2287): HTTP response code 200 2021-08-17T00:51:23.327Z [INF] curl.cpp:SetIAMCredentials(1705): IAM credential response = "{ "Code" : "Success", "LastUpdated" : "2021-08-17T00:15:01Z", "Type" : "AWS-HMAC", "AccessKeyId" : "ASIA4SAZRVPP57LXT3OI", "SecretAccessKey" : "y1WAMLmSXgQ40CV7WjXkBW6OkjQvIBPrK8dWTAnE", "Token" : "IQoJb3JpZ2luX2VjEEEaCXVzLWVhc3QtMSJHMEUCIHKRE5MS9RUGHUaFTHdEP9Q15UIj+yLXi8RQXIzTm87QAiEA1zPpBMPG/Jjxf6vL2wL8DJxx+wOFS2HJxt/x4CtU6vAq+gMIaRACGgw4NjMzNDIwMTM0MDciDE3smhSEdtZTOjbCHirXAyB7i8BnhQAaeJOdqwQfD6+2WNPVka2ZeKpsiCi15H0MLt+80qHTvQJu3QVKuX8CjDnInoKUBK2Wdw4Dd+tVC3Tkw5STbBmpwgFLCiHc67IjSpCNEAs7XnxPAE28iXNui3gEQDDhhtnYUETZSMBzbpk88CZDvFh5pqlq3lvDKqAFLPyHew8eB3QEUdl7Onowj3IcyJBDIFCdVGKTGn+U6RP0g09hQc5OisHV1/UbWq+SpiBd6fZ8f65iUi2v5kRna0Zcqa9ID4FC3XPwyQABHnzshfawp38NpUKPltra8ALTtHi/HV7+VryDbIZycbdrI/QfrFCots7dn7uWw9eHDwLTUUYBWm0uvNJtiaZnxfTUmHoYga7hsAmA5gwSGtbCMSzVCn7GLYfSqALXM1HTpLUqSul2ufRjdaVNtsa4upWt1L7SExcJCCvd4xIrH7eY29Z85sh79e7ChxPtz4+vjSrb20OSlV/4PDVvSFrvcf5E455r+CqFGQGwYrKP2KFz9HGgiX5c1ybTQOaRLVcKzJhnSRI93WmkEekCfO15vptXEBH3+wdM/s6Bjtm7HYeFzjrwFrg7ZczM25p8p9Fw6G6sVa96ychJ57xUvcs/TeYbxQ9gDwKl+DD+/uuIBjqlAQmWi8fGk7bHYtM7aCvS0DAj7X7ScUhHVSo/Xvj+vjOxX3vadJb51ZT29NYmHrYlvolXoGYWS0XRwyBdWJyZ4wzEQKWbX3S139TzhKhCnEec0DhVWLxAM/2/aa8Npwlp2wtr9tKKsGoN2txe5kohrQgmevLsxjz9uZjUbKrlnh0Fjmier8Hd8VAzL0c15B43eFQtlODmYQckNSWLlyXepxPCPQSOVA==", "Expiration" : "2021-08-17T06:44:53Z" }" 2021-08-17T00:51:23.327Z [INF] curl.cpp:CheckIAMCredentialUpdate(1748): IAM Access Token refreshed 2021-08-17T00:51:23.327Z [INF] curl.cpp:CheckBucket(3364): check a bucket. 2021-08-17T00:51:23.327Z [INF] curl_util.cpp:prepare_url(250): URL is https://s3.us-east-1.amazonaws.com/xxx-s3fs-test/ 2021-08-17T00:51:23.327Z [INF] curl_util.cpp:prepare_url(283): URL changed is https://xxx-s3fs-test.s3.us-east-1.amazonaws.com/ 2021-08-17T00:51:23.327Z [INF] curl.cpp:insertV4Headers(2640): computing signature [GET] [/] [] [] 2021-08-17T00:51:23.328Z [INF] curl_util.cpp:url_to_host(327): url is https://s3.us-east-1.amazonaws.com 2021-08-17T00:51:23.336Z [CURL DBG] * Trying 52.217.205.130... 2021-08-17T00:51:23.336Z [CURL DBG] * TCP_NODELAY set 2021-08-17T00:51:23.343Z [CURL DBG] * Connected to xxx-s3fs-test.s3.us-east-1.amazonaws.com (52.217.205.130) port 443 (#3) 2021-08-17T00:51:23.344Z [CURL DBG] * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH 2021-08-17T00:51:23.350Z [CURL DBG] * successfully set certificate verify locations: 2021-08-17T00:51:23.350Z [CURL DBG] * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none 2021-08-17T00:51:23.350Z [CURL DBG] * TLSv1.2 (OUT), TLS header, Certificate Status (22): 2021-08-17T00:51:23.350Z [CURL DBG] * TLSv1.2 (OUT), TLS handshake, Client hello (1): 2021-08-17T00:51:23.351Z [CURL DBG] * TLSv1.2 (IN), TLS handshake, Server hello (2): 2021-08-17T00:51:23.351Z [CURL DBG] * TLSv1.2 (IN), TLS handshake, Certificate (11): 2021-08-17T00:51:23.351Z [CURL DBG] * TLSv1.2 (IN), TLS handshake, Server key exchange (12): 2021-08-17T00:51:23.351Z [CURL DBG] * TLSv1.2 (IN), TLS handshake, Server finished (14): 2021-08-17T00:51:23.352Z [CURL DBG] * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): 2021-08-17T00:51:23.352Z [CURL DBG] * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): 2021-08-17T00:51:23.352Z [CURL DBG] * TLSv1.2 (OUT), TLS handshake, Finished (20): 2021-08-17T00:51:23.353Z [CURL DBG] * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): 2021-08-17T00:51:23.353Z [CURL DBG] * TLSv1.2 (IN), TLS handshake, Finished (20): 2021-08-17T00:51:23.353Z [CURL DBG] * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 2021-08-17T00:51:23.353Z [CURL DBG] * Server certificate: 2021-08-17T00:51:23.353Z [CURL DBG] * subject: C=US; ST=Washington; L=Seattle; O=Amazon.com, Inc.; CN=s3.amazonaws.com 2021-08-17T00:51:23.353Z [CURL DBG] * start date: Jun 23 00:00:00 2021 GMT 2021-08-17T00:51:23.353Z [CURL DBG] * expire date: Jul 24 23:59:59 2022 GMT 2021-08-17T00:51:23.353Z [CURL DBG] * subjectAltName: host "xxx-s3fs-test.s3.us-east-1.amazonaws.com" matched cert's "*.s3.us-east-1.amazonaws.com" 2021-08-17T00:51:23.353Z [CURL DBG] * issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert Baltimore CA-2 G2 2021-08-17T00:51:23.353Z [CURL DBG] * SSL certificate verify ok. 2021-08-17T00:51:23.353Z [CURL DBG] > GET / HTTP/1.1 2021-08-17T00:51:23.353Z [CURL DBG] > Host: xxx-s3fs-test.s3.us-east-1.amazonaws.com 2021-08-17T00:51:23.353Z [CURL DBG] > User-Agent: s3fs/1.89 (commit hash unknown; OpenSSL) 2021-08-17T00:51:23.353Z [CURL DBG] > Accept: */* 2021-08-17T00:51:23.353Z [CURL DBG] > Authorization: AWS4-HMAC-SHA256 Credential=ASIA4SAZRVPP57LXT3OI/20210817/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=c970107d23a4574f7ce223bb655380a0229d26c22695c27c14c5d06f8847ea11 2021-08-17T00:51:23.353Z [CURL DBG] > x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 2021-08-17T00:51:23.353Z [CURL DBG] > x-amz-date: 20210817T005123Z 2021-08-17T00:51:23.353Z [CURL DBG] > x-amz-security-token: IQoJb3JpZ2luX2VjEEEaCXVzLWVhc3QtMSJHMEUCIHKRE5MS9RUGHUaFTHdEP9Q15UIj+yLXi8RQXIzTm87QAiEA1zPpBMPG/Jjxf6vL2wL8DJxx+wOFS2HJxt/x4CtU6vAq+gMIaRACGgw4NjMzNDIwMTM0MDciDE3smhSEdtZTOjbCHirXAyB7i8BnhQAaeJOdqwQfD6+2WNPVka2ZeKpsiCi15H0MLt+80qHTvQJu3QVKuX8CjDnInoKUBK2Wdw4Dd+tVC3Tkw5STbBmpwgFLCiHc67IjSpCNEAs7XnxPAE28iXNui3gEQDDhhtnYUETZSMBzbpk88CZDvFh5pqlq3lvDKqAFLPyHew8eB3QEUdl7Onowj3IcyJBDIFCdVGKTGn+U6RP0g09hQc5OisHV1/UbWq+SpiBd6fZ8f65iUi2v5kRna0Zcqa9ID4FC3XPwyQABHnzshfawp38NpUKPltra8ALTtHi/HV7+VryDbIZycbdrI/QfrFCots7dn7uWw9eHDwLTUUYBWm0uvNJtiaZnxfTUmHoYga7hsAmA5gwSGtbCMSzVCn7GLYfSqALXM1HTpLUqSul2ufRjdaVNtsa4upWt1L7SExcJCCvd4xIrH7eY29Z85sh79e7ChxPtz4+vjSrb20OSlV/4PDVvSFrvcf5E455r+CqFGQGwYrKP2KFz9HGgiX5c1ybTQOaRLVcKzJhnSRI93WmkEekCfO15vptXEBH3+wdM/s6Bjtm7HYeFzjrwFrg7ZczM25p8p9Fw6G6sVa96ychJ57xUvcs/TeYbxQ9gDwKl+DD+/uuIBjqlAQmWi8fGk7bHYtM7aCvS0DAj7X7ScUhHVSo/Xvj+vjOxX3vadJb51ZT29NYmHrYlvolXoGYWS0XRwyBdWJyZ4wzEQKWbX3S139TzhKhCnEec0DhVWLxAM/2/aa8Npwlp2wtr9tKKsGoN2txe5kohrQgmevLsxjz9uZjUbKrlnh0Fjmier8Hd8VAzL0c15B43eFQtlODmYQckNSWLlyXepxPCPQSOVA== 2021-08-17T00:51:23.353Z [CURL DBG] > 2021-08-17T00:51:23.378Z [CURL DBG] < HTTP/1.1 403 Forbidden 2021-08-17T00:51:23.378Z [CURL DBG] < x-amz-bucket-region: us-east-1 2021-08-17T00:51:23.378Z [CURL DBG] < x-amz-request-id: G7YTHSEVSTNQ1WZN 2021-08-17T00:51:23.378Z [CURL DBG] < x-amz-id-2: 8KqBmBh0n/zqDxJJD+tqV7tNwDUBe2NTmu7zv3Cnt0+P6N58w7LIYgmR0NCqjmPds4kkdjAltSU= 2021-08-17T00:51:23.378Z [CURL DBG] < Content-Type: application/xml 2021-08-17T00:51:23.378Z [CURL DBG] < Transfer-Encoding: chunked 2021-08-17T00:51:23.378Z [CURL DBG] < Date: Tue, 17 Aug 2021 00:51:23 GMT 2021-08-17T00:51:23.378Z [CURL DBG] < Server: AmazonS3 2021-08-17T00:51:23.378Z [CURL DBG] < 2021-08-17T00:51:23.378Z [CURL DBG] * Connection #3 to host xxx-s3fs-test.s3.us-east-1.amazonaws.com left intact 2021-08-17T00:51:23.378Z [ERR] curl.cpp:RequestPerform(2324): HTTP response code 403, returning EPERM. Body Text: <?xml version="1.0" encoding="UTF-8"?> <Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>G7YTHSEVSTNQ1WZN</RequestId><HostId>8KqBmBh0n/zqDxJJD+tqV7tNwDUBe2NTmu7zv3Cnt0+P6N58w7LIYgmR0NCqjmPds4kkdjAltSU=</HostId></Error> 2021-08-17T00:51:23.378Z [ERR] curl.cpp:CheckBucket(3396): Check bucket failed, S3 response: <?xml version="1.0" encoding="UTF-8"?> <Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>G7YTHSEVSTNQ1WZN</RequestId><HostId>8KqBmBh0n/zqDxJJD+tqV7tNwDUBe2NTmu7zv3Cnt0+P6N58w7LIYgmR0NCqjmPds4kkdjAltSU=</HostId></Error> 2021-08-17T00:51:23.378Z [CRT] s3fs.cpp:s3fs_check_service(3502): Failed to connect by sigv4, so retry to connect by signature version 2. 2021-08-17T00:51:23.378Z [INF] curl.cpp:CheckBucket(3364): check a bucket. 2021-08-17T00:51:23.378Z [INF] curl_util.cpp:prepare_url(250): URL is https://s3.us-east-1.amazonaws.com/xxx-s3fs-test/ 2021-08-17T00:51:23.378Z [INF] curl_util.cpp:prepare_url(283): URL changed is https://xxx-s3fs-test.s3.us-east-1.amazonaws.com/ 2021-08-17T00:51:23.379Z [CURL DBG] * Found bundle for host xxx-s3fs-test.s3.us-east-1.amazonaws.com: 0x7f1aec00bf90 [can pipeline] 2021-08-17T00:51:23.379Z [CURL DBG] * Re-using existing connection! (#3) with host xxx-s3fs-test.s3.us-east-1.amazonaws.com 2021-08-17T00:51:23.379Z [CURL DBG] * Connected to xxx-s3fs-test.s3.us-east-1.amazonaws.com (52.217.205.130) port 443 (#3) 2021-08-17T00:51:23.379Z [CURL DBG] > GET / HTTP/1.1 2021-08-17T00:51:23.379Z [CURL DBG] > Host: xxx-s3fs-test.s3.us-east-1.amazonaws.com 2021-08-17T00:51:23.379Z [CURL DBG] > User-Agent: s3fs/1.89 (commit hash unknown; OpenSSL) 2021-08-17T00:51:23.379Z [CURL DBG] > Accept: */* 2021-08-17T00:51:23.379Z [CURL DBG] > Authorization: AWS ASIA4SAZRVPP57LXT3OI:Y70wASUeawprUtKxK4BbI4nr1Ec= 2021-08-17T00:51:23.379Z [CURL DBG] > Date: Tue, 17 Aug 2021 00:51:23 GMT 2021-08-17T00:51:23.379Z [CURL DBG] > x-amz-security-token: IQoJb3JpZ2luX2VjEEEaCXVzLWVhc3QtMSJHMEUCIHKRE5MS9RUGHUaFTHdEP9Q15UIj+yLXi8RQXIzTm87QAiEA1zPpBMPG/Jjxf6vL2wL8DJxx+wOFS2HJxt/x4CtU6vAq+gMIaRACGgw4NjMzNDIwMTM0MDciDE3smhSEdtZTOjbCHirXAyB7i8BnhQAaeJOdqwQfD6+2WNPVka2ZeKpsiCi15H0MLt+80qHTvQJu3QVKuX8CjDnInoKUBK2Wdw4Dd+tVC3Tkw5STbBmpwgFLCiHc67IjSpCNEAs7XnxPAE28iXNui3gEQDDhhtnYUETZSMBzbpk88CZDvFh5pqlq3lvDKqAFLPyHew8eB3QEUdl7Onowj3IcyJBDIFCdVGKTGn+U6RP0g09hQc5OisHV1/UbWq+SpiBd6fZ8f65iUi2v5kRna0Zcqa9ID4FC3XPwyQABHnzshfawp38NpUKPltra8ALTtHi/HV7+VryDbIZycbdrI/QfrFCots7dn7uWw9eHDwLTUUYBWm0uvNJtiaZnxfTUmHoYga7hsAmA5gwSGtbCMSzVCn7GLYfSqALXM1HTpLUqSul2ufRjdaVNtsa4upWt1L7SExcJCCvd4xIrH7eY29Z85sh79e7ChxPtz4+vjSrb20OSlV/4PDVvSFrvcf5E455r+CqFGQGwYrKP2KFz9HGgiX5c1ybTQOaRLVcKzJhnSRI93WmkEekCfO15vptXEBH3+wdM/s6Bjtm7HYeFzjrwFrg7ZczM25p8p9Fw6G6sVa96ychJ57xUvcs/TeYbxQ9gDwKl+DD+/uuIBjqlAQmWi8fGk7bHYtM7aCvS0DAj7X7ScUhHVSo/Xvj+vjOxX3vadJb51ZT29NYmHrYlvolXoGYWS0XRwyBdWJyZ4wzEQKWbX3S139TzhKhCnEec0DhVWLxAM/2/aa8Npwlp2wtr9tKKsGoN2txe5kohrQgmevLsxjz9uZjUbKrlnh0Fjmier8Hd8VAzL0c15B43eFQtlODmYQckNSWLlyXepxPCPQSOVA== 2021-08-17T00:51:23.379Z [CURL DBG] > 2021-08-17T00:51:23.388Z [CURL DBG] < HTTP/1.1 403 Forbidden 2021-08-17T00:51:23.388Z [CURL DBG] < x-amz-bucket-region: us-east-1 2021-08-17T00:51:23.388Z [CURL DBG] < x-amz-request-id: G7YZRJM7GGJTB7AH 2021-08-17T00:51:23.388Z [CURL DBG] < x-amz-id-2: p9ZKAueC3nfUvhNQCGcwynRtrBoXNyaCFr3l6gxzj48cOkmPsjbda+MYRNhdP43wqbM9FLspVTM= 2021-08-17T00:51:23.388Z [CURL DBG] < Content-Type: application/xml 2021-08-17T00:51:23.388Z [CURL DBG] < Transfer-Encoding: chunked 2021-08-17T00:51:23.388Z [CURL DBG] < Date: Tue, 17 Aug 2021 00:51:23 GMT 2021-08-17T00:51:23.388Z [CURL DBG] < Server: AmazonS3 2021-08-17T00:51:23.388Z [CURL DBG] < 2021-08-17T00:51:23.388Z [CURL DBG] * Connection #3 to host xxx-s3fs-test.s3.us-east-1.amazonaws.com left intact 2021-08-17T00:51:23.388Z [ERR] curl.cpp:RequestPerform(2324): HTTP response code 403, returning EPERM. Body Text: <?xml version="1.0" encoding="UTF-8"?> <Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>G7YZRJM7GGJTB7AH</RequestId><HostId>p9ZKAueC3nfUvhNQCGcwynRtrBoXNyaCFr3l6gxzj48cOkmPsjbda+MYRNhdP43wqbM9FLspVTM=</HostId></Error> 2021-08-17T00:51:23.388Z [ERR] curl.cpp:CheckBucket(3396): Check bucket failed, S3 response: <?xml version="1.0" encoding="UTF-8"?> <Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>G7YZRJM7GGJTB7AH</RequestId><HostId>p9ZKAueC3nfUvhNQCGcwynRtrBoXNyaCFr3l6gxzj48cOkmPsjbda+MYRNhdP43wqbM9FLspVTM=</HostId></Error> 2021-08-17T00:51:23.388Z [CRT] s3fs.cpp:s3fs_check_service(3517): invalid credentials(host=https://s3.us-east-1.amazonaws.com) - result of checking service. 2021-08-17T00:51:23.388Z [ERR] s3fs.cpp:s3fs_exit_fuseloop(3321): Exiting FUSE event loop due to errors 2021-08-17T00:51:23.418Z [INF] s3fs.cpp:s3fs_destroy(3389): destroy ``` ### Details about issue Hi All Account A: Account has destination s3 bucket. Account B: My EC2 instance account. I want to mount account A's s3 bucket on account B(EC2 instance). I've followed this tutorial https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/ to set up Cross-account IAM roles. I am able to fetch bucket info via AWS CLI `aws s3 ls`, which means the cross account permission setup is correct This is my `~/.aws/config`, ``` [default] role_arn = arn:aws:iam::AccountA:role/AccountA-bucket-role credential_source = Ec2InstanceMetadata region = us-east-1 output = json ``` And `~/.aws/crendentials` is empty I tried to add `-o profile=default` but won't work. ``` sudo s3fs -f -d -o dbglevel=info -o curldbg -o allow_other -o iam_role -o url=https://s3.us-east-1.amazonaws.com xxx-s3fs-test /home/s3fs/s3-drive/ ``` However I am still getting 403 access denied error when trying on mount bucket via iam role. Is S3FS supporting this cross account assume role mount? Is there way we can force S3FS to use the default config and auth as specific role_arn? `arn:aws:iam::AccountA:role/AccountA-bucket-role` I did check some issues but don't see any useful answer, looking forward for any help, thank you!
kerem commented 2026-03-04 01:49:45 +03:00
Author
Owner
Copy link

@rads18 commented on GitHub (Jul 9, 2022):

Is there an update on this issue please? its a gr8 utility but we have an app spread across various accounts and wanted to use a common mount S3 source when extracting a config log for ease of use.

Please suggest!

thanks

<!-- gh-comment-id:1179554728 --> @rads18 commented on GitHub (Jul 9, 2022): Is there an update on this issue please? its a gr8 utility but we have an app spread across various accounts and wanted to use a common mount S3 source when extracting a config log for ease of use. Please suggest! thanks
kerem commented 2026-03-04 01:49:46 +03:00
Author
Owner
Copy link

@ggtakec commented on GitHub (Jul 9, 2022):

It looks like the token can be obtained from the meta url(/latest/meta-data/iam/security-credentials/xxxxxxxRole).
And when s3fs accessed the bucket, it seems that s3fs received a 403.

HTTP response code 403, returning EPERM. Body Text: <?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Access Denied</Message>...

It seems that the access rights are not appropriate, so it seems good to check the Bucket or EC2 settings.

Could anyone give us some advice on the settings?

<!-- gh-comment-id:1179559588 --> @ggtakec commented on GitHub (Jul 9, 2022): It looks like the token can be obtained from the meta url(`/latest/meta-data/iam/security-credentials/xxxxxxxRole`). And when s3fs accessed the bucket, it seems that s3fs received a 403. ``` HTTP response code 403, returning EPERM. Body Text: <?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Access Denied</Message>... ``` It seems that the access rights are not appropriate, so it seems good to check the Bucket or EC2 settings. Could anyone give us some advice on the settings?
kerem commented 2026-03-04 01:49:46 +03:00
Author
Owner
Copy link

@rads18 commented on GitHub (Jul 9, 2022):

i have tried the same creds to run an AWS S3 copy /move for a bucket(in account A) from account B (EC2 instance) and that works smoothly. It's just the mount for a bucket(in A) to EC2 (in B) does not succeed, local bucket from B mounts fine in its EC2

Also, i should clarify for testing purpose i am not using any Meta reference, just created a pass file with access/secret

like so,
s3fs (bucketname A) /mnt -o passwd_file=~/.passwd-s3fs

<!-- gh-comment-id:1179562892 --> @rads18 commented on GitHub (Jul 9, 2022): i have tried the same creds to run an AWS S3 copy /move for a bucket(in account A) from account B (EC2 instance) and that works smoothly. It's just the mount for a bucket(in A) to EC2 (in B) does not succeed, local bucket from B mounts fine in its EC2 Also, i should clarify for testing purpose i am not using any Meta reference, just created a pass file with access/secret like so, s3fs (bucketname A) /mnt -o passwd_file=~/.passwd-s3fs
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.97
v1.96
v1.95
v1.94
v1.93
v1.92
v1.91
v1.90
v1.89
v1.88
v1.87
v1.86
v1.85
v1.84
v1.83
v1.82
v1.81
v1.80
v1.79
v1.78
Pre-v1.78
v1.77
v1.76
v1.75
v1.74
Labels
Clear labels   
bug

   
bug

   
dataloss

   
duplicate

   
enhancement

   
feature request

   
help wanted

   
invalid

   
need info

   
performance

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
testing
No labels
bug
bug
dataloss
duplicate
enhancement
feature request
help wanted
invalid
need info
performance
pull-request
question
question
testing
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/s3fs-fuse#896
No description provided.