我有一个 AWS Elastic Beanstalk Rails 应用程序,我正在通过配置脚本配置它以从 S3 存储桶中提取一些文件。当我启动该应用程序时,我不断在日志中收到以下错误 (出于安全考虑,存储桶名称已更改):
Failed to retrieve https://s3.amazonaws.com/my.bucket/bootstrap.sh: HTTP Error 403 : <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message>
配置文件:
packages:
yum:
git: []
files:
/opt/elasticbeanstalk/hooks/appdeploy/pre/01a_bootstrap.sh:
mode: "00755"
owner: root
group: root
source: https://s3.amazonaws.com/my.bucket/bootstrap.sh
Elastic Beanstalk 环境设置为aws-elasticbeanstalk-ec2-role
IAM 角色作为其实例角色。此角色具有以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "arn:aws:s3:::my.bucket/*"
}
]
}
S3存储桶具有以下策略:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "Stmt1371012493903",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account #>:role/aws-elasticbeanstalk-ec2-role"
},
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": "arn:aws:s3:::my.bucket/*"
}
]
}
我需要进行哪些更改才能让我的 EC2 实例访问我的 S3 存储桶?
答案1
从您的 EC2 实例中,您还必须检索实例元数据中的临时凭证:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<your-iam-role-name>
然后,您将使用提供的访问密钥和密钥来访问您的 S3 存储桶。
答案2
如果是跨账户访问,请检查它是否与此处提到的 ACL 标头相关:https://stackoverflow.com/a/34055538/1736679(更多信息请见此问题线索:https://github.com/aws/aws-cli/issues/1674)
另外,请仔细检查您正在运行的环境/用户,以查看是否没有覆盖密钥(1AWS_ACCESS_KEY1等)/etc/environment
或~/.aws/credentials