Yum gets ‘HTTPS Error 403 – Forbidden’ error in Amazon Linux 2

If you use S3 endpoint not NAT/Proxy to access the Amazon yum repository, then this post should be helpful to you.

We use S3 endpoint to access Amazon repositories, and we noticed that any yum operations failed with the ‘HTTPS Error 403 – Forbidden‘ error in the EC2 instances that are launched from the latest Amazon Linux 2 in Sydney region (ami-007b2c28096a63f37).

It turns out that AWS has made some changes to the yum configurations in the latest Amazon Linux 2 AMI in Sydney region. And I have not found any offical documents from AWS so far.

EC2 that is launched from previous AMI

$ for each in $(ls /etc/yum/vars); do echo -n "$each is "; cat /etc/yum/vars/$each| grep -v '^$';  done
amazonlinux is amazonlinux
awsdomain is amazonaws.com
awsproto is http
awsregion is ap-southeast-2
product is core
target is latest

EC2 that is launched from the latest AMI 

$ for each in $(ls /etc/yum/vars); do echo -n "$each is "; cat /etc/yum/vars/$each| grep -v '^$';  done
amazonlinux is amazonlinux-2-repos-ap-southeast-2.s3
awsdomain is amazonaws.com
awsproto is https
awsregion is ap-southeast-2
product is core
target is latest

As shown above, that $amzonlinux and $awsproto have changed. As our S3 endpoint policy currently does not allow the bucket amazonlinux-2-repos-ap-southeast-2, that’s why the request get denied. Once we add “arn:aws:s3:::amazonlinux-2-repos-ap-southeast-2/*” to the S3 endpoint policy, yum starts to work again.