授予EC2实例对S3存储桶的访问权限 [英] Grant EC2 instance access to S3 Bucket
问题描述
我想授予ec2实例对s3存储桶的访问权限。
I want to grant my ec2 instance access to an s3 bucket.
在此ec2实例上,启动了包含我的应用程序的容器。现在,我没有获得s3存储桶的许可。
On this ec2 instance, a container with my application is launched. Now I don't get permission on the s3 bucket.
这是我的存储桶策略
{
"Version": "2012-10-17",
"Id": "Policy1462808223348",
"Statement": [
{
"Sid": "Stmt1462808220978",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::714656454815:role/ecsInstanceRole"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "private-ip/32"
}
}
}
]
}
但是在我授予存储桶许可之前这是行不通的让所有人都可以访问它。
But it doesn't work until I give the bucket the permission for everyone to access it.
我尝试从ec2实例内部将文件压缩到s3存储桶中,但这也不起作用。
I try to curl the file in the s3 bucket from inside the ec2 instance but this doesn't work either.
推荐答案
没有直接的方法可以授予 EC2实例对AWS服务器的访问权限,但是您可以尝试以下方法。 p>
There is no direct way of granting "EC2" instance access to AWS server, but you can try the following.
- 在AWS IAM中创建一个新用户,然后下载凭证文件。
- 该用户将代表您EC2服务器。
- 为用户提供对S3存储桶的权限。
-
接下来,将凭据文件放在以下位置:-
EC2-Windows实例:
a。将凭证文件放置在所需的任何位置。 (例如C:/凭据)
b。创建一个环境变量 AWS_CREDENTIAL_PROFILES_FILE 并将该值作为放置凭据文件(例如C:/凭据)的路径。
EC2-Linux实例
a。按照Windows实例中的步骤操作
b。在应用程序服务器的根文件夹中创建一个文件夹 .aws (例如 / usr / share / tomcat6 )。
c。在环境变量和 .aws 文件夹之间创建符号链接
sudo ln -s $ AWS_CREDENTIAL_PROFILES_FILE /usr/share/tomcat6/.aws/credentials
- Create a new user in AWS IAM, and download the credentials file.
- This user will represent your EC2 server.
- Provide the user with permissions to your S3 Bucket.
Next, place the credentials file in the following location:-
EC2 - Windows Instance:
a. Place the credentials file anywhere you wish. (e.g. C:/credentials)
b. Create an environment variable AWS_CREDENTIAL_PROFILES_FILE and put the value as the path where you put your credentials file (e.g. C:/credentials)
EC2 - Linux Instance
a. Follow steps from windows instance
b. Create a folder .aws inside your app-server's root folder (e.g. /usr/share/tomcat6).
c. Create a symmlink between your environment variable and your .aws foldersudo ln -s $AWS_CREDENTIAL_PROFILES_FILE /usr/share/tomcat6/.aws/credentials
现在已经放置了凭据文件,您可以使用Java代码访问存储桶。
注意:为此,需要AWS-SDK库
Now that your credentials file is placed, you can use Java code to access the bucket.
NOTE: AWS-SDK libraries are required for this
AWSCredentials credentials = null;
try {
credentials = new ProfileCredentialsProvider().getCredentials();
} catch (Exception e) {
LOG.error("Unable to load credentials " + e);
failureMsg = "Cannot connect to file server.";
throw new AmazonClientException(
"Cannot load the credentials from the credential profiles file. " +
"Please make sure that your credentials file is at the correct " +
"location (environment variable : AWS_CREDENTIAL_PROFILES_FILE), and is in valid format.",
e);
}
AmazonS3 s3 = new AmazonS3Client(credentials);
Region usWest2 = Region.getRegion(Regions.US_WEST_2);
s3.setRegion(usWest2);
ObjectListing objectListing = s3.listObjects(new ListObjectsRequest().withBucketName(bucketName).withPrefix(prefix));
其中 bucketName = [您的存储桶名称]
和前缀 = [您的存储桶中的文件夹结构,其中包含文件]
Where bucketName = [Your Bucket Name]
and prefix = [your folder structure inside your bucket, where your file(s) are contained]
希望帮助。
另外,如果您不使用Java,也可以使用其他编程语言签出AWS-SDK。
Hope that helps. Also, if you are not using Java, you can check out AWS-SDKs in other programming languages too.
这篇关于授予EC2实例对S3存储桶的访问权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!