从服务器上的容器访问AWS S3存储桶 [英] Access AWS S3 bucket from a container on a server

问题描述

如何在没有代码中包含AWS凭证的情况下从容器访问S3存储桶?

How can I access my S3 bucket from a container without having my AWS credentials in the code?

我的代码也会自动部署，因此将其作为Env变量也是不好的(部署脚本位于存储库中-凭据也不应位于其中).

My code also auto-deploy, so having it as an Env-variable is also no good (the deployment script is in the repository - and the credentials shouldn's be there either ) .

我试图研究IAM的角色，但无法将注意力放在有助于我的用例的事情上.

I tried to look into IAM roles, but couldn't wrap my head around something that will help my use-case.

推荐答案

如果直接在EC2实例上运行容器(不使用ECS服务)，则需要创建一个IAM role并为其附加适当的策略(例如作为AmazonS3FullAccess，如果您需要S3的所有权限，并且只需要阅读S3的内容，则可以添加AmazonS3ReadOnlyAccess策略.创建此角色后，可以将其附加到运行容器的EC2实例上.

If you are running containers on an EC2 instance directly (without using ECS service) then you need to create an IAM role and attach appropriate policy to it (such as AmazonS3FullAccess, if you need all rights for S3, if you only need to read the contents of S3, then you can add AmazonS3ReadOnlyAccess policy). After you have created this role you can attach it to the EC2 instance where you are running your container.

如果您使用的是ECS服务，则可以将此角色附加到定义容器的任务中(仍然可以将其附加到基础EC2容器实例-但仅在EC2启动类型的情况下才可以) Fargate-让容器担当那个角色，但最好是尽可能地细化-具有自己角色的单个任务.

If you are using ECS service, then you can attach this role to the task in which you define your containers (it is still possible to attach it to the underlying EC2 container instance - but only in case of EC2 launch type, not Fargate - for the container to assume that role, but it is preferred to be as granular as possible - individual tasks having their own roles).

您绝不应该将AWS凭证添加到代码中或将其存储在EC2实例/容器中，这就是您拥有角色的原因.

You should never add AWS credentials to your code or store them in an EC2 instance/container, that is why you have roles.

这篇关于从服务器上的容器访问AWS S3存储桶的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！