使用InstanceProfileCredentialsProvider是否是从Ec2实例连接到AWS S3的正确方法? [英] Is using InstanceProfileCredentialsProvider correct way to connect to AWS S3 from Ec2 instance?

问题描述

在我的代码起作用之前，我将存储桶策略设置得太开了.

Until my code works, I have set bucket policy too wide open.

{
    "Version": "2012-10-17",
    "Id": "Policy15",
    "Statement": [
        {
            "Sid": "Stmt1",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bcktName",
                "arn:aws:s3:::bcktName/*"
            ]
        }
    ]
}

我正在使用Elastic BeanStalk，而后者又使用AWS Ec2. Ec2实例具有aws-elasticbeanstalk-ec2-role，它提供了对S3的完全访问权限(我知道完全访问权限很危险).

I am using Elastic BeanStalk which in turn uses AWS Ec2. The Ec2 instance has aws-elasticbeanstalk-ec2-role which was provided FullAccess to S3 (I understand full access is dangerous).

我在部署到Ec2的Web应用程序中使用以下Java代码.

I'm using the following java code in my webapp which is deployed to Ec2.

AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
                  .withCredentials(new InstanceProfileCredentialsProvider(false))
                  .build();
              versionId = s3Client.putObject(new PutObjectRequest("bucketName", name, convFile))
                  .getVersionId();

1)这是使用Java代码从Ec2连接到S3的正确方法吗? 2)此文档使我感到困惑因为我不确定是否必须设置环境变量和/或Java系统属性和/或默认凭据配置文件和/或Amazon ECS容器凭据和/或实例配置文件凭据?

1) Is this the correct way to connect to S3 from Ec2 in a java code? 2) This documentation confuses me as I'm not sure if I have to set up Environment variables and/or Java system properties and/or The default credential profiles file and/or Amazon ECS container credentials and/or Instance profile credentials ?

请帮助我.这个问题让我震惊了近一个星期.

Please help me. I'm struck with this issue for almost a week.

PS: 以下是分配给我的个人资料的ec2InstanceRole

PS: Following is the ec2InstanceRole assigned to my profile

Role ARN  arn:aws:iam::111111111111:role/aws-elasticbeanstalk-ec2-role
Role description  
Instance Profile ARNs  arn:aws:iam::111111111111:instance-profile/aws-elasticbeanstalk-ec2-role
Path   /
Creation time  2017-10-17 11:27 PDT

分配给上述角色的策略是

And the policies assigned to above role are

  AmazonS3FullAccess
  AWSElasticBeanstalkWebTier
  AWSElasticBeanstalkMulticontainerDocker
  AWSElasticBeanstalkWorkerTier

推荐答案

尽管您的代码可以按原样工作，但是您可以将其全部删除:.withCredentials(new InstanceProfileCredentialsProvider(false))如果您使用Java的AWS开发工具包，则会自动选择实例配置文件不要指定任何凭据设置.您可以这样做:

Although your code should work as is, you can remove this part all together: .withCredentials(new InstanceProfileCredentialsProvider(false)) The AWS SDK for Java will automatically pick up the instance profile if you don't specify any credential settings. You can just do this:

AmazonS3 s3Client = AmazonS3ClientBuilder.standard().build();

如果这不起作用，请尝试从S3存储桶中完全删除存储桶策略.您不需要存储桶策略即可允许使用IAM实例配置文件的服务器访问存储桶，如果存储桶策略中有错别字或其他内容，则可能会造成问题.

If that doesn't work, try removing the bucket policy from the S3 bucket completely. You don't need the bucket policy in order to allow the server using the IAM instance profile to access the bucket, and if you have a typo or something in your bucket policy it could be breaking things.

如果这不起作用，请将分配给IAM实例配置文件的IAM策略添加到您的问题中.

If that doesn't work, add the IAM policy assigned to the IAM instance profile to your question.

这篇关于使用InstanceProfileCredentialsProvider是否是从Ec2实例连接到AWS S3的正确方法?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！