Before mentioning my problem, I want to inform you that I'm using terraform and having nexus container running on EC2 orchestrated by Amazon ECS. Here is the objective: I want to create an S3 blobstore on nexus.I created a task definition and I added the correct execution and task role to make nexus work properly at first. When I created the S3 blobstore I got the problem that "The S3 bucket exists but you are not the owner". When I faced this problem I tried to make the optional authentication like mentioned by Sonatype .I created an IAM user and gave it S3FullAccess Permissions.I created credentials .I associated this IAM user to the target S3 bucket like this code is showing.
data "aws_iam_policy_document" "nexus_s3_blobstore_policy_document" { statement { effect = "Allow" actions = ["s3:PutObject","s3:GetObject","s3:DeleteObject","s3:ListBucket","s3:GetLifecycleConfiguration","s3:PutLifecycleConfiguration","s3:PutObjectTagging","s3:GetObjectTagging","s3:DeleteObjectTagging","s3:GetBucketAcl" ] resources = [ aws_s3_bucket.nexus_repo.arn,"${aws_s3_bucket.nexus_repo.arn}/*" ] principals { type = "AWS" identifiers = [aws_iam_user.s3_blobstore_access_user.arn] } }}resource "aws_s3_bucket_policy" "blob_store_rules" { bucket = aws_s3_bucket.nexus_repo.id policy = data.aws_iam_policy_document.nexus_s3_blobstore_policy_document.json} This worked fine for me and I manged to create the S3-blobstore.Now I don't want to use this optional authentication.Some experts recommended me to add iam policies to access S3 bucket and attach them to the execution role associated to the task definition to avoid the authentication. Here is my added policies and their attachment with terraform.I may be using so many wrong useless code. I don't know if there is an error in the code or the solution itself is wrong.
data "aws_iam_policy_document" "ecs_task_doc" { statement { actions = ["sts:AssumeRole", ] effect = "Allow" principals { type = "Service" identifiers = ["ecs-tasks.amazonaws.com"] } }}data "aws_iam_policy_document" "nexus_s3_access_policy_document" { statement { effect = "Allow" actions = ["s3:DeleteBucket","s3:CreateBucket", ] resources = [ aws_s3_bucket.nexus_repo.arn,"${aws_s3_bucket.nexus_repo.arn}/*" ] }}/*IAM document policy for S3 */resource "aws_iam_policy" "s3_bucket_policy" { name = "s3BucketPolicy" policy = data.aws_iam_policy_document.nexus_s3_access_policy_document.json}resource "aws_iam_role" "ecs_task_role" { name = "ecs-task-role-${local.name_suffix}" assume_role_policy = data.aws_iam_policy_document.ecs_task_doc.json}resource "aws_iam_role" "ecs_exec_role" { name = "ecs-exec-role-${local.name_suffix}" assume_role_policy = data.aws_iam_policy_document.ecs_task_doc.json}resource "aws_iam_role_policy_attachment" "ecs_exec_role_policy" { role = aws_iam_role.ecs_exec_role.name policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"}/*Attachment task role with s3 */resource "aws_iam_role_policy_attachment" "ecs_task_s3_attachement" { role = aws_iam_role.ecs_task_role.name policy_arn = aws_iam_policy.s3_bucket_policy.arn}resource "aws_iam_role_policy_attachment" "ecs_s3_role_exec_attachement" { role = aws_iam_role.ecs_exec_role.name policy_arn = aws_iam_policy.s3_bucket_policy.arn}