配置ActiveStorage以使用具有IAM角色的S3 [英] Configuring ActiveStorage to use S3 with IAM role
问题描述
我正在尝试将ActiveStorage配置为使用S3存储桶作为存储后端,但是我不想传递 access_key_id , secret_access_key , region中的任何一个.相反,我想使用以前定义的IAM角色.在此处中提及了这种配置.它显示为(我已加粗体):
I'm trying to configure ActiveStorage to use S3 bucket as a storage backend however I don't want to pass any of access_key_id, secret_access_key, region. Instead, I'd like to use previously defined IAM role. Such configuration is mentioned here. It reads (I've added bold):
如果要使用环境变量,标准SDK配置文件,配置文件, IAM实例配置文件或任务角色,则可以在上面的示例中省略access_key_id,secret_access_key和区域密钥.Amazon S3服务支持AWS开发工具包文档中描述的所有身份验证选项.
If you want to use environment variables, standard SDK configuration files, profiles, IAM instance profiles or task roles, you can omit the access_key_id, secret_access_key, and region keys in the example above. The Amazon S3 Service supports all of the authentication options described in the AWS SDK documentation.
但是我无法使其正常运行.我的 storage.yml 看起来与此类似:
However I cannot get it working. My storage.yml looks similar to this:
amazon:
service: S3
bucket: bucket_name
credentials:
role_arn: "linked::account::arn"
role_session_name: "session-name"
我已经运行 rails active_storage:install ,应用了生成的迁移,并在应用程序的配置中设置了 config.active_storage.service =:amazon .
I've run rails active_storage:install, applied generated migrations and set config.active_storage.service = :amazon in my app's config.
问题在于,当我尝试保存文件时,出现了意外错误:
The issue is that when I'm trying to save a file, I'm getting an unexpected error:
u = User.first
s = StringIO.new
s << 'hello,world'
s.seek 0
u.csv.attach(io: s, filename: 'filename.csv')
Traceback (most recent call last):
2: from (irb):3
1: from (irb):3:in `rescue in irb_binding'
LoadError (Unable to autoload constant ActiveStorage::Blob::Analyzable, expected /usr/local/bundle/gems/activestorage-5.2.2/app/models/active_storage/blob/analyzable.rb to define it)
我正在使用Rails 5.2.2.
I'm using Rails 5.2.2.
推荐答案
您要在AWS EC2实例内部还是在计算机本地尝试此代码?
Are you trying this code inside an AWS EC2 instance or locally in your machine?
If you check the authentication methods in AWS: https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/setup-config.html#aws-ruby-sdk-credentials-iam
您将看到以下部分:
使用IAM设置凭据
Setting Credentials Using IAM
对于Amazon Elastic Compute Cloud实例,创建一个AWS Identity and Access Management角色,然后向您的Amazon EC2实例授予对该角色的访问权限.欲了解更多信息,请参阅Amazon EC2用户指南中的Amazon EC2的IAM角色EC2用户中的适用于Amazon EC2的Linux实例或IAM角色Windows实例指南.
For an Amazon Elastic Compute Cloud instance, create an AWS Identity and Access Management role, and then give your Amazon EC2 instance access to that role. For more information, see IAM Roles for Amazon EC2 in the Amazon EC2 User Guide for Linux Instances or IAM Roles for Amazon EC2 in the Amazon EC2 User Guide for Windows Instances.
这意味着要使用此身份验证方法,您必须:
This means that for this authentication method to work, you must:
- 在AWS上创建EC2实例
- 创建具有写入S3存储桶权限的EC2 IAM角色
- 配置将新的IAM角色附加到它的EC2实例
将角色附加到实例后,您的 config/storage.yml 文件将如下所示:
With the role attached to the instance, your config/storage.yml file will look like this:
amazon:
service: S3
bucket: test-stackoverflow-bucket-app
region: "us-west-1"
Note that region is a required parameter, you'll get an error if you skip it: https://github.com/aws/aws-sdk-ruby/issues/1240#issuecomment-231866239
恐怕这在本地不起作用,要在本地使用 active_storage ,您必须设置 access_key_id 和 secret_access_key 值.
I'm afraid this won't work locally, to use active_storage locally you must set the access_key_id, secret_access_key values.
这篇关于配置ActiveStorage以使用具有IAM角色的S3的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
