afunsten · August 4, 2018 03:35
diff --git a/get_s3_file.sh b/get_s3_file.sh
 #!/bin/bash
 # https://gist.github.com/afunsten
 # https://gist.github.com/davidejones/d05f51df75e659111227

 #example: bash get_s3_file.sh -b some-bucket-name -f some-file-key-path -o some-output-file
 #you must first give root user of the aws acct bucket access 
 #you must also give user role bucket access

 while getopts :b:f:o:r: option; do
    case "${option}" in
    	b) bucket="${OPTARG}";;
        f) filekey="${OPTARG}";;
        o) outputfullpath="${OPTARG}";;
        r) region="${OPTARG}";;
    esac
 done

 #defaults
 : "${bucket:=some-bucket-default}"
 : "${filekey:=some-file-key-path-default}"
 : "${outputfullpath:=./get_s3_file_output}"
 : "${region:=}"

 instance_profile=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/`
 aws_access_key_id=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} | grep AccessKeyId | cut -d':' -f2 | sed 's/[^0-9A-Z]*//g'`
 aws_secret_access_key=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} | grep SecretAccessKey | cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g'`
 token=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} | sed -n '/Token/{p;}' | cut -f4 -d'"'`

 date="`date +'%a, %d %b %Y %H:%M:%S %z'`"
 resource="/${bucket}/${filekey}"
 signature_string="GET\n\n\n${date}\nx-amz-security-token:${token}\n/${resource}"
 signature=`/bin/echo -en "${signature_string}" | openssl sha1 -hmac ${aws_secret_access_key} -binary | base64`
 authorization="AWS ${aws_access_key_id}:${signature}"

 curl -s -H "Date: ${date}" -H "X-AMZ-Security-Token: ${token}" -H "Authorization: ${authorization}" "https://s3${region}.amazonaws.com/${resource}" -o "${outputfullpath}"
 # for encrpted files  you also need ...
 # -H "x-amz-server-side-encryption-customer-algorithm: AES256" 
 # -H "x-amz-server-side-encryption-customer-key: yourstring"
 # -H "x-amz-server-side-encryption-customer-key-MD5: yourstring" 
 #https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGET.html
diff --git a/policy-for-bucket b/policy-for-bucket
 {
 	"Version": "2012-10-17",
 	"Id": "Policy1441048292119",
 	"Statement": [
 		{
 			"Sid": "Stmt1441048289544",
 			"Effect": "Allow",
 			"Principal": {
 				"AWS": [
 					"arn:aws:iam::123456789012:role/your_role_name",
 				]
 			},
 			"Action": "s3:*",
 			"Resource": "arn:aws:s3:::some-bucket-of-mine/*"
 		}
 	]
 }
diff --git a/policy-for-iam b/policy-for-iam
 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::some-bucket-of-mine",
                "arn:aws:s3:::some-bucket-of-mine/*"
            ]
        },
    ]
 }
	#!/bin/bash
	# https://gist.github.com/afunsten
	# https://gist.github.com/davidejones/d05f51df75e659111227

	#example: bash get_s3_file.sh -b some-bucket-name -f some-file-key-path -o some-output-file
	#you must first give root user of the aws acct bucket access
	#you must also give user role bucket access

	while getopts :b:f:o:r: option; do
	case "${option}" in
	b) bucket="${OPTARG}";;
	f) filekey="${OPTARG}";;
	o) outputfullpath="${OPTARG}";;
	r) region="${OPTARG}";;
	esac
	done

	#defaults
	: "${bucket:=some-bucket-default}"
	: "${filekey:=some-file-key-path-default}"
	: "${outputfullpath:=./get_s3_file_output}"
	: "${region:=}"

	instance_profile=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/`
	aws_access_key_id=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} \| grep AccessKeyId \| cut -d':' -f2 \| sed 's/[^0-9A-Z]*//g'`
	aws_secret_access_key=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} \| grep SecretAccessKey \| cut -d':' -f2 \| sed 's/[^0-9A-Za-z/+=]*//g'`
	token=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} \| sed -n '/Token/{p;}' \| cut -f4 -d'"'`

	date="`date +'%a, %d %b %Y %H:%M:%S %z'`"
	resource="/${bucket}/${filekey}"
	signature_string="GET\n\n\n${date}\nx-amz-security-token:${token}\n/${resource}"
	signature=`/bin/echo -en "${signature_string}" \| openssl sha1 -hmac ${aws_secret_access_key} -binary \| base64`
	authorization="AWS ${aws_access_key_id}:${signature}"

	curl -s -H "Date: ${date}" -H "X-AMZ-Security-Token: ${token}" -H "Authorization: ${authorization}" "https://s3${region}.amazonaws.com/${resource}" -o "${outputfullpath}"
	# for encrpted files you also need ...
	# -H "x-amz-server-side-encryption-customer-algorithm: AES256"
	# -H "x-amz-server-side-encryption-customer-key: yourstring"
	# -H "x-amz-server-side-encryption-customer-key-MD5: yourstring"
	#https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGET.html
	{
	"Version": "2012-10-17",
	"Id": "Policy1441048292119",
	"Statement": [
	{
	"Sid": "Stmt1441048289544",
	"Effect": "Allow",
	"Principal": {
	"AWS": [
	"arn:aws:iam::123456789012:role/your_role_name",
	]
	},
	"Action": "s3:*",
	"Resource": "arn:aws:s3:::some-bucket-of-mine/*"
	}
	]
	}