I'm trying to run a bash script on a centos server. I've running the script as the root user (both for file permissions), but I also need to use the aws service permissions that belong to a service account. We have decided not to give the root account access to the AWS environment.
If I run the script manually ./disk-arcive.sh it works without a problem. When I run it from my crontab it silently fails when changing to the aws-cli-user. No error message, and only when started by cron.
How it is being called in Crontab sudo crontab -e:
0 20 * * * /bin/sh /etc/disk-arcive.sh Summary of shell file:
#!/bin/sh PATH=/sbin:/bin:/usr/sbin:/usr/bin <<Same as root find (old stuff) >> /old-stuff.temp while read line; do /opt/bin/encryption-tool "$line">> /encrypt_logfile.log << key access requires root permission done < /old-stuff.temp while read line; do sudo -u aws-cli-user /usr/local/bin/aws s3 mv "$line.pgp" s3://mybucket"$line.pgp" >> /bucket_logfile.log #<< switch to user fails, user needed for s3 permissions sudo -u aws-cli-user echo "User is now aws-cli-user" >> /bucket_logfile.log #<< added for debugging, does not work echo "looks like $line is done" >> /bucket_logfile.log #<< added for debugging, Works done < /old-stuff.temp exit UPDATE1 I've updated the "user switching" lines to the following. It appears to fail differently however if I use any aws-s3 options (i.e. --sse or --acl) those are being read a part of the su options.
su -l aws-cli-user -c '/usr/local/bin/aws s3 mv "$line.pgp" s3://mybucket"$line.pgp" --sse >> /bucket_logfile.log' #<< switch to user fails, user needed for s3 permissions su -l aws-cli-user -c 'echo "User is now aws-cli-user $(whoami)" >> /bucket_logfile.log' #<< added for debugging, does not work. enters a blank line into the log file The output of the echo line shows that the $line is now being passed when the user is switched.
