授予EC2 IAM角色对S3存储桶的读取权限

10

我有一个AWS Elastic Beanstalk Rails应用程序,正在通过配置脚本进行配置,以从S3存储桶中提取一些文件。启动应用程序时,我在日志中始终收到以下错误(出于安全性考虑,存储桶名称已更改):

Failed to retrieve https://s3.amazonaws.com/my.bucket/bootstrap.sh: HTTP Error 403 : <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message>

配置文件:

packages:
  yum:
    git: []

files:
  /opt/elasticbeanstalk/hooks/appdeploy/pre/01a_bootstrap.sh:
    mode: "00755"
    owner: root
    group: root
    source: https://s3.amazonaws.com/my.bucket/bootstrap.sh

设置了具有aws-elasticbeanstalk-ec2-roleIAM角色作为实例角色的Elastic Beanstalk环境。该角色具有以下策略:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "arn:aws:s3:::my.bucket/*"
    }
  ]
}

S3存储桶具有以下策略:

{
"Version": "2008-10-17",
"Statement": [
    {
        "Sid": "Stmt1371012493903",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::<account #>:role/aws-elasticbeanstalk-ec2-role"
        },
        "Action": [
            "s3:List*",
            "s3:Get*"
        ],
        "Resource": "arn:aws:s3:::my.bucket/*"
    }
]
}

我需要更改什么以使EC2实例能够访问我的S3存储桶?

amazon-ec2  amazon-web-services  amazon-s3  elastic-beanstalk  amazon-iam 
诊断
source

Answers:

6

您还必须从EC2实例中检索实例元数据中的临时凭证:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<your-iam-role-name>

然后,您应使用提供的访问权限和密钥访问您的S3存储桶。

阿兰·塞勒斯特
source
1
当您通过适用于应用程序中特定语言的AWS开发工具包执行此操作时,SDK在内部会注意获取临时证书,然后根据特定的时间间隔刷新它们。
whokares 2014年
2
您如何使用访问和密钥访问S3存储桶?你有例子吗?干杯
席琳Aussourd
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.