权限被拒绝而弹性魔豆检索S3文件 [英] Permission denied while elastic beanstalk is retrieving S3 file

问题描述

我有存储在S3文件，写了 .ebextensions 配置自动将它们复制到新的实例。我收到此错误的弹性魔豆控制台：

I have files stored on S3 and wrote .ebextensions config to automatically copy the them to new instances. I'm receiving this error in the Elastic Beanstalk console:

[实例： INSTANCEID 的模块：AWSEBAutoScalingGroup ConfigSet：空]命令失败的实例。返回code：1输出：[CMD-AppDeploy / AppDeployStage0 / EbExtension preBuild]命令失败，错误code 1：编译过程中出现错误：无法检索的https://s3-us-west-1.amazonaws.com/MyBucket/MyFolder/_MyFile.txt: HTTP错误403： AccessDenied

[Instance: INSTANCEID Module: AWSEBAutoScalingGroup ConfigSet: null] Command failed on instance. Return code: 1 Output: [CMD-AppDeploy/AppDeployStage0/EbExtensionPreBuild] command failed with error code 1: Error occurred during build: Failed to retrieve https://s3-us-west-1.amazonaws.com/MyBucket/MyFolder/_MyFile.txt: HTTP Error 403 : AccessDenied

我的.ebextension配置文件有本节：

My .ebextension config file has this section:

files:
    "/target/file/path" :
        mode: "000777"
        owner: ec2-user
        group: ec2-user
        source: https://s3-us-west-1.amazonaws.com/_MyBucket_/_MyFolder_/_MyFile.txt

在试图使这个文件复制的工作，我也轻松的权限，给予弹性魔豆IAM角色只读访问策略应用到所有S3的标准。它的政策是这样的：

In attempting to make this file copying work, I've also relaxed permissions by giving the elastic beanstalk IAM role the standard read only access policy to all of S3. It's policy is this:

{
  "Effect": "Allow",
  "Action": [
    "s3:Get*",
    "s3:List*"
  ],
  "Resource": "*"
}

然而，prebuild复制步骤仍然失败。难道我给源URL以正确的格式？是否有其他安全机构/策略为何？帮助请：）

Yet the prebuild copying step still fails. Did I give the source url in the correct format? Is there another security entity/policy involved? Help please :)

推荐答案

类似chaseadamsio的回答，您可以与策略配置给EC2实例中的作用访问S3的资源，然后用pre-安装AWS CLI工具来移动文件。

Similar to chaseadamsio's answer, you can configure the role given to the EC2 instance with a policy to access S3 resources, then use the pre-installed AWS CLI utilities to move files around.

我走近这个问题的方法是创建一个专用于给定的EB应用程序角色，然后附上类似的策略：

The way I approached this is to create a role dedicated to the given EB application, then attach a policy similar to:

"Statement": [
    {
        "Sid": "<sid>",
        "Effect": "Allow",
        "Action": [
            "s3:GetObject"
        ],
        "Resource": [
            "arn:aws:s3:::<your_bucket_path>/*"
        ]
    }
]

这让你的实例的访问，然后拿到文件，添加一个'命令'块到你的配置，如：

This gives your instance access, then to get the files, add a 'commands' block to your config such as:

commands: 
  01-get-file:
    command: aws s3 cp s3://<your_bucket_path>/your-file.txt /home/ec2-user
  02-execute-actions: 
    [unpack, run scripts, etc..]

显然，你可以根据需要使用其他AWS CLI utlities。我发现这解决了很多问题，我在和S3的访问，使部署变得更加简单。

Obviously you can use other AWS CLI utlities as needed. I found this solved a lot of problems I was having with S3 access and makes deployment a lot easier.

这篇关于权限被拒绝而弹性魔豆检索S3文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！