403 Forbidden

[organicveggie]

I'm back with another fun problem. Again. :) Perhaps by typing it all out in a issue report I'll find a mistake on my end. Here's hoping. :)

I'm still working on mirroring a handful of public repositories to S3. I've got most of CentOS and RepoForge working correctly with yum-s3-iam, as well as our own private repo.

This time I'm trying to mirror the Fedora EPEL repo. Pretty simple script to mirror it:

rsync -vaH --numeric-ids --delete --delete-after --delay-updates rsync://dl.fedoraproject.org/fedora-epel epel/

Seems to work fine:

$ ls -al
drwxr-xr-x 6 root root   4096 Jan 21 22:48 .
drwxr-xr-x 5 root root   4096 Sep 27 12:09 ..
drwxr-xr-x 3 root root   4096 Sep 26 16:11 CentOS
drwxrwsr-x 7  263    263 4096 Jan 24 20:42 epel
drwxrwxr-x 4  101 nobody 4096 Jan 24 20:50 repoforge
drwxr-xr-x 4 root root   4096 Sep 27 12:10 mycompany

I then sync it to S3 (along with the others) with s3cmd:

s3cmd sync --skip-existing --delete-removed ./ s3://example-yum/

Everything shows up in S3 successfully. I updated the /etc/yum.repos.d/epel.repo config:

[epel]
name=Extra Packages for Enterprise Linux 6 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch
#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch
baseurl=baseurl=http://example-yum.s3.amazonaws.com/epel/6/x86_64
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
s3_enabled=1
exclude=nagios* mongodb*

[epel-debuginfo]
name=Extra Packages for Enterprise Linux 6 - $basearch - Debug
#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch/debug
#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-6&arch=$basearch
baseurl=http://example-yum.s3.amazonaws.com/epel/6/$basearch/debug
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
gpgcheck=1
s3_enabled=1
exclude=nagios* mongodb*

[epel-source]
name=Extra Packages for Enterprise Linux 6 - $basearch - Source
#baseurl=http://download.fedoraproject.org/pub/epel/6/SRPMS
#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-source-6&arch=$basearch
baseurl=http://example-yum.s3.amazonaws.com/epel/6/SRPMS
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
gpgcheck=1
s3_enabled=1
exclude=nagios* mongodb*

When I try to do a yum info, I get a 403:

Loaded plugins: fastestmirror, s3iam, security
s3iam: found S3 private repository
s3iam: found S3 private repository
s3iam: found S3 private repository
s3iam: found S3 private repository
Determining fastest mirrors
 * base: mirrors.seas.harvard.edu
 * extras: mirrors.rit.edu
 * updates: mirror.cogentco.com
10gen
10gen/primary     
10gen
base
base/primary_db

HTTP Error 403: Forbidden

If I disable the EPEL repo, it works. Meanwhile, CentOS updates and RepoForge work just fine with yum-s3-iam. So there has to be something different about the EPEL repo. Any suggestions on what I might look for?

[murugaprabum]

HTTP Error 403: Forbidden means, you don't have access to a resource in S3. Double check the permissions available for the security credentials that you are using

[organicveggie]

Yeah, that was what I figured. Unfortunately, I can't see anything obvious. The IAM role for the server opens up the entire bucket. All of the repos are in the same bucket, so you'd think that if one repo works, they all should work. Which is why I'm assuming I have something simple screwed up.

{
  "Statement": [
    {
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::*"
      ]
    },
    {
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::example-yum"
      ]
    },
    {
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::example-yum/*"
      ]
    }
  ]
}

[murugaprabum]

I am not able to find out the exact problem by looking at your Policy Statement. One crude method I would suggest to try is, "Action" : ["s3:Get*"] instead of "Action" : ["s3:GetObject"]