在PHP SDK中使用IAM角色时出现问题 [英] Issue using an IAM role with PHP SDK
问题描述
我正在使用此脚本填充DynamoDB: https://docs .aws.amazon.com/amazondynamodb/latest/developerguide/LoadDataPHP.html
I am using this script to populate DynamoDB: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/LoadDataPHP.html
我使用AWS开发工具包收到此错误:
I'm getting this error using the AWS SDK:
PHP致命错误:未捕获的异常 消息无法读取"的"Aws \ Exception \ CredentialsException" 来自/root/.aws/credentials的凭证 /var/www/vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php:263
PHP Fatal error: Uncaught exception 'Aws\Exception\CredentialsException' with message 'Cannot read credentials from /root/.aws/credentials' in /var/www/vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php:263
根据 https://docs.aws. amazon.com/aws-sdk-php/v2/guide/credentials.html
如果您没有显式提供凭证给客户端对象,并且没有可用的环境变量凭证,则SDK会尝试从Amazon EC2实例元数据服务器检索实例配置文件凭证.仅当在已配置IAM角色的Amazon EC2实例上运行时,这些凭据才可用.
If you do not explicitly provide credentials to the client object and no environment variable credentials are available, the SDK attempts to retrieve instance profile credentials from an Amazon EC2 instance metadata server. These credentials are available only when running on Amazon EC2 instances that have been configured with an IAM role.
我具有连接到我的实例的IAM角色,并且具有完整的超级用户访问权限.我已经确认该角色可以通过AWS CLI正常运行,该AWS CLI无需任何凭据配置即可访问DynamoDB.
I have an IAM role attached to my instance with full power user access. I have confirmed the role is working fine via the AWS CLI, which can access DynamoDB without any credential configuration.
关于我可能做错了什么的任何建议?我的印象是(不需要解释该凭证文件)我不需要配置任何凭证,因此可以使用IAM角色.
Any suggestions as to what I could be doing wrong? I am under the impression (and interpret that credentials document to say) that I don't need to configure any credentials, hence the use of the IAM role.
推荐答案
我只是想为可能会遇到这种情况的其他人扩大一点.
I just wanted to expand a bit on this for anyone else that may end up in this situation.
然后在创建客户端时不要使用配置文件行.如果您确实在客户端中指定了配置文件,它会告诉SDK使用来自凭据ini文件的配置文件覆盖您在客户端中设置的任何形式的凭据.
Then don't use the profile line when creating a client. If you do specify profile in your client it tells the SDK to override any form of credentials you set in the client with a profile from the credentials ini file.
在PHP SDK V3文档中已提及(但有些掩饰): https://docs.aws.amazon .com/aws-sdk-php/v3/guide/guide/configuration.html#profile
Mentioned (but buried a bit) in the PHP SDK V3 documentation here: https://docs.aws.amazon.com/aws-sdk-php/v3/guide/guide/configuration.html#profile
$client = new SqsClient([
'profile' => 'default', // <--- Don't use this line if you're using IAM Roles for credentials
'region' => 'us-west-2',
'version' => '2012-11-05'
]);
误导性文档
PHP SDK文档建议在EC2实例的所有其他其他凭据之前使用IAM角色.很好,很合情理.例如,这种情况会给新手带来误导;
Misleading Documentation
The PHP SDK documentation recommends using IAM roles above all other credentials for EC2 instances. That's fine and makes total sense. The misleading part to new comers is for example this scenario;
- 说新手SDK的人会在入门"部分中阅读基本SDK用法".
- 根据文档设置S3客户端进行测试.
- 一旦他们拥有可用的S3代码,开发人员便决定跳至代码示例部分,以为其他AWS服务设置客户端.
这里的问题是所有代码示例(S3示例除外)都包含配置文件设置,该配置文件设置破坏了IAM角色凭据方法.
The problem here is that all of the code examples (with the exception of the S3 examples) contain the profile setting that breaks the IAM role credential method.
这些代码示例至少应参考配置文件的功能.
The code examples should at least have a reference to what profile does.
这篇关于在PHP SDK中使用IAM角色时出现问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!