AWS Import-image用户无权访问S3对象 [英] AWS Import-image User does not have access to the S3 object

问题描述

运行AWS(Amazon Web Services)导入映像任务时:

When running the AWS (Amazon Web Services) import-image task:

aws ec2 import-image --description "My OVA" --disk-containers file://c:\TEMP\containers.json

我收到以下错误:

调用ImportImage操作时发生错误(InvalidParameter):用户无权访问S3对象.(mys3bucket/vms/myOVA.ova)

An error occurred (InvalidParameter) when calling the ImportImage operation: User does not have access to the S3 object.(mys3bucket/vms/myOVA.ova)

我遵循了此有关导入VM的AWS文档(包括步骤1、2和3).具体来说，我设置了vmimport角色和该角色的建议策略.我在做什么错了?

I followed all of the instructions in this AWS document on importing a VM (including Steps 1, 2, and 3). Specifically, I setup a vmimport role and the recommended policies for the role. What am I doing wrong?

推荐答案

我终于明白了.问题是我的IAM user (包含vmimport角色)无法访问我的S3存储桶.一旦我授予IAM用户对我的S3存储桶的访问权限(通过在S3中设置存储桶策略)，import-image命令就会成功启动该过程.

I finally figured this out. The problem was my IAM user, that contains the vmimport role, did not have access to my S3 bucket. Once I granted my IAM user access to my S3 bucket (by setting a bucket policy in S3), the import-image command kicked off the process successfully.

要在S3中设置存储桶策略，请右键单击您的存储桶(即S3中的顶级存储桶名称)，然后单击属性".然后从显示的右侧菜单中，打开权限"，然后单击添加存储桶策略".将会出现一个小窗口，您可以在其中放入JSON以获取策略.这是为我工作的人:

To set the bucket policy in S3, right-click on your bucket (i.e. the top level bucket name in S3), then click "Properties". Then from the right-hand menu that gets displayed, open "Permissions", and click "Add bucket policy". A small window will come up where you can put in JSON for a policy. Here is the one that worked for me:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Stmt1476979061000",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::MY-AWS-account-ID:user/myIAMuserID"
        },
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::mys3bucket",
            "arn:aws:s3:::mys3bucket/*"
        ]
    }
]}

您需要将"MY-AWS-account-ID"替换为您的AWS账户ID，并将"myIAMuserID"替换为包含vmimport角色的IAM用户ID. 本文档讨论如何获取您的AWS账户ID.并且此文档详细讨论了授予权限在S3中.

You'll need to replace "MY-AWS-account-ID" with your AWS Account ID, and "myIAMuserID" with your IAM user ID that contains the vmimport role. This document talks about how to get your AWS Account ID. And this document talks more about granting permissions in S3.

这篇关于AWS Import-image用户无权访问S3对象的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！