具有标准角色的Elastic Beanstalk S3权限:文件访问仍被拒绝 [英] Elastic Beanstalk S3 permission on standard role: still permission denied on file access
问题描述
试图使EB与S3存储桶一起工作. 以为我遵循了所有说明,但是无法上传pdf显示(当前为权限被拒绝").我以前在heroku + S3上进行过这项工作,因此知道它在理论上是可行的.
Trying to get an EB working with S3 bucket. Thought i'd followed all the instructions, but just cannot get uploaded pdf to display (currently "permission denied"). I had this working on heroku + S3 earlier so know it works in theory.
设置
- Ruby EB,单个实例.使用默认应用创建的
- 添加了paperclip演示应用
- app:paperclipdemo3 env:paperclipdemo3-dev li实例配置文件(aws-elasticbeanstalk-ec2-role).标准服务 个人资料(aws-elasticbeanstalk-service-role)
- 将AmazonS3FullAccess附加到此角色
- 在相同区域创建的S3存储桶
- Ruby EB, single instance. created with default app
- added the paperclip demo app
- app: paperclipdemo3 env: paperclipdemo3-dev
- instance profile (aws-elasticbeanstalk-ec2-role). standard service profile(aws-elasticbeanstalk-service-role)
- attached AmazonS3FullAccess to this rol
- S3 buckets created in same region
错误 查看上载的文件(pdf)时, AccessDeniedAccess Denied5CDDC975006C7C62h3ohBvPu8hXYIZkwLsgF/k0akNuLjyaOpbBzgsxmgtesQ/UJBlOH6phRrsr0tPowNFBFZ7LCI7M =
Error When viewing the uploaded file (pdf) gives AccessDeniedAccess Denied5CDDC975006C7C62h3ohBvPu8hXYIZkwLsgF/k0akNuLjyaOpbBzgsxmgtesQ/UJBlOH6phRrsr0tPowNFBFZ7LCI7M=
上载doc S3路径
根据生成的html页面
as per generated html page
- 修复了对不起,出现问题",这是端点/区域配置
- 按照自定义存储桶名称等文档中的建议添加特定策略,但决定何时简化变得不可行:
- 将S3完全访问权限添加到aws-elasticbeanstalk-ec2-role(这似乎是这里定义的最简单的":.
- 使S3存储桶世界(每个人)可读,并且拒绝访问相同的内容确定这应该可行!?
- fixed 'sorry something went wrong' which was endpoints / region config
- adding specific policy as suggested in docs customising bucket names etc., but decided when it didn't work to go simple:
- adding S3 fullaccess to the aws-elasticbeanstalk-ec2-role (which seems the 'simplest' as defined here: "SO S3 permissions".
- make the S3 bucket world readable (i.e. everyone) and it gives same access denied surely this should work!?
只是无法使其正常工作.赌它明显吧!?
just cannot get it to work. bet its something obvious!?
希望别人能比我更快发现,任何想法都会得到赞赏
hope someone else can spot quicker than I can, any thoughts appreciated
本
编辑1-我注意到人们谈论看到 EB控制台中的日志,但是我所能做的就是下载最后100行或完整的EC2日志.我的日志中都没有提到S3错误(除了回形针上传文件外),没有返回代码. 我还注意到我的S3存储桶未写入任何日志(即使在同一区域附加了单独的日志存储桶)
EDIT 1 - i've noticed that people talk of seeing logs in EB console, but all i can do is download the last 100 lines or full EC2 logs. none of my logs mention S3 errors (other than paperclip uploading the the file), there is no return code. I've also noticed my S3 bucket is not writing ANY logs (even though attached a separate logging bucket in same region)
回形针配置
config.paperclip_defaults = {
:storage => :s3,
:s3_region => 'ap-southeast-2',
:s3_permissions => :private,
:s3_protocol => 'https',
:s3_host_name => 's3-ap-southeast-2.amazonaws.com',
:s3_endpoint => 's3-ap-southeast-2.amazonaws.com',
:s3_credentials => {
:bucket => ENV['AWS_BUCKET'],
:access_key_id => ENV['AWS_ACCESS_KEY_ID'],
:secret_access_key => ENV['AWS_SECRET_ACCESS_KEY'],
}
}
角色
aws-elasticbeanstalk-ec2-role角色政策
EB配置环境变量t
S3示例上传文件权限
推荐答案
我混合使用了S3策略& ACL.这个配置是罪魁祸首
I mixing S3 policy & ACLs. this config is the culpit
:s3_permissions => :private,
如果将其删除,它将公开!
if its removed it goes public!
对此有一个很好的解释: https://thewebfellas.com/blog/使用此处列出的ACL保护您的回形针下载:
this has a good explanation of it: https://thewebfellas.com/blog/protecting-your-paperclip-downloads with the ACL's listed here: http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html
这篇关于具有标准角色的Elastic Beanstalk S3权限:文件访问仍被拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
