尽管有用户角色,AWS Batch作业仍在S3上被拒绝访问 [英] AWS Batch job getting Access Denied on S3 despite user role
问题描述
我正在AWS上部署我的第一批作业.当我在EC2实例中运行docker映像时,作业调用的脚本运行良好.我已为此实例分配了一个IAM角色以允许S3访问.
I am deploying my first batch job on AWS. When I run my docker image in an EC2 instance, the script called by the job runs fine. I have assigned an IAM role to this instance to allow S3 access.
但是,当我在AWS Batch上运行与作业相同的脚本时,由于S3访问上的访问被拒绝错误,该脚本失败.尽管事实是,在作业定义"中,我分配了一个具有完全S3访问权限的IAM角色(为弹性容器服务任务"创建).
But when I run the same script as a job on AWS Batch, it fails due to Access Denied errors on S3 access. This is despite the fact that in the Job Definition, I assign an IAM role (created for Elastic Container Service Task) that has full S3 access.
如果我使用不访问S3的命令启动批处理作业,则运行正常.
If I launch my batch job with a command that does not access S3, it runs fine.
由于使用IAM角色定义作业似乎还不够,那么我该如何在AWS上的批处理作业中授予S3权限?
Since using an IAM role for the job definition seems not to be sufficient, how then do I grant S3 permissions within a Batch Job on AWS?
编辑
因此,如果我只运行aws s3 ls interlinked作为工作,那也将正常运行.无法正常运行R脚本:
So if I just run aws s3 ls interlinked as my job, that also runs properly. What does not work is running the R script:
library(aws.s3)
get_bucket("mybucket")[[1]]
哪个会因访问被拒绝而失败.
Which fails with Access Denied.
所以看来问题出在aws.s3软件包,或者更可能是我对它的使用.
So it seems the issue is either with the aws.s3 package or, more likely, my use of it.
推荐答案
原来的问题是,我为计算环境(更严格)和作业(更不严格)都指定了IAM角色.
The problem turned out to be that I had IAM Roles specified for both my compute environment (more restrictive) and my jobs (less restrictive).
在这种情况下(需要基于角色的凭据),aws.s3 R包使用aws.signature和aws.ec2metadata从角色中提取临时凭据.它拉动计算环境角色(这是ec2角色),而不是工作角色.
In this scenario (where role based credentials are desired), the aws.s3 R package uses aws.signature and aws.ec2metadata to pull temporary credentials from the role. It pulls the compute environment role (which is an ec2 role), but not the job role.
我的解决方案只是向我的计算环境角色授予所需的S3权限.
My solution was just to grant the required S3 permissions to my compute environment's role.
这篇关于尽管有用户角色,AWS Batch作业仍在S3上被拒绝访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
