弹性 beantalk 检索 S3 文件时权限被拒绝 [英] Permission denied while elastic beanstalk is retrieving S3 file

问题描述

我将文件存储在 S3 上并编写了 .ebextensions 配置以自动将它们复制到新实例.我在 Elastic Beanstalk 控制台中收到此错误:

I have files stored on S3 and wrote .ebextensions config to automatically copy the them to new instances. I'm receiving this error in the Elastic Beanstalk console:

[Instance: INSTANCEID Module: AWSEBAutoScalingGroup ConfigSet: null] 命令在实例上失败.返回代码:1 输出:[CMD-AppDeploy/AppDeployStage0/EbExtensionPreBuild] 命令失败，错误代码 1:构建期间发生错误:无法检索 https://s3-us-west-1.amazonaws.com/MyBucket/MyFolder/_MyFile.txt:HTTP 错误 403:<代码>拒绝访问

[Instance: INSTANCEID Module: AWSEBAutoScalingGroup ConfigSet: null] Command failed on instance. Return code: 1 Output: [CMD-AppDeploy/AppDeployStage0/EbExtensionPreBuild] command failed with error code 1: Error occurred during build: Failed to retrieve https://s3-us-west-1.amazonaws.com/MyBucket/MyFolder/_MyFile.txt: HTTP Error 403 : AccessDenied

我的 .ebextension 配置文件有这个部分:

My .ebextension config file has this section:

files:
    "/target/file/path" :
        mode: "000777"
        owner: ec2-user
        group: ec2-user
        source: https://s3-us-west-1.amazonaws.com/_MyBucket_/_MyFolder_/_MyFile.txt

在尝试使此文件复制工作时，我还通过为弹性 beanstalk IAM 角色提供对所有 S3 的标准只读访问策略来放宽权限.它的政策是这样的:

In attempting to make this file copying work, I've also relaxed permissions by giving the elastic beanstalk IAM role the standard read only access policy to all of S3. It's policy is this:

{
  "Effect": "Allow",
  "Action": [
    "s3:Get*",
    "s3:List*"
  ],
  "Resource": "*"
}

然而预构建复制步骤仍然失败.我是否以正确的格式提供了源网址?是否涉及其他安全实体/策略?请帮忙:)

Yet the prebuild copying step still fails. Did I give the source url in the correct format? Is there another security entity/policy involved? Help please :)

推荐答案

我找到了克服此错误的解决方案.事实证明，在 .ebextensions 配置文件中添加一个 Resources 部分使其工作.整个文件变成:

I found a solution to overcome this error. It turns out adding a Resources section to the .ebextensions config file makes it work. The entire file becomes:

files:
  "/target/file/path" :
    mode: "000777"
    owner: ec2-user
    group: ec2-user
    source: https://s3-us-west-1.amazonaws.com/_MyBucket_/_MyFolder_/_MyFile.txt
Resources:
  AWSEBAutoScalingGroup:
    Metadata:
      AWS::CloudFormation::Authentication:
        S3Access:
          type: S3
          roleName: aws-elasticbeanstalk-ec2-role
          buckets: _MyBucket

在这一点上，我不知道为什么必须这样.希望它可以帮助迷路的人继续前进并最终获得更好的理解.我的回答基于此链接 https://forums.aws.amazon.com/message.jspa?messageID=541634

At this point, I don't know enough to grok why it has to be this way. Hopefully it can help someone who's lost move forward and eventually gain a better understanding. I based my answer on this link https://forums.aws.amazon.com/message.jspa?messageID=541634

这篇关于弹性 beantalk 检索 S3 文件时权限被拒绝的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！