使用 Codebuild 将 DynamoDB 导出到 S3 到另一个帐户
我创建了一个代码构建来运行以下命令。
aws dynamodb export-table-to-point-in-time \
--table-arn arn:aws:dynamodb:REDACTED:REDACTED:table/REDACTED \
--s3-bucket REDACTED \
--s3-bucket-owner REDACTED
我还创建了一个 service-role 并附加了以下内联策略。
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::REDACTED/*",
"arn:aws:s3:::REDACTED"
]
}
最后,我更新了 S3 存储桶,以允许 service-role 写入该存储桶:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::REDACTED:role/service-role/REDACTED"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::REDACTED/*",
"arn:aws:s3:::REDACTED"
]
}
]
}
codebuild 正确调用了命令,但由于权限问题导出失败。
[Container] 2022/03/08 11:50:42 Running command aws dynamodb export-table-to-point-in-time \
--table-arn arn:aws:dynamodb:REDACTED:REDACTED:table/REDACTED \
--s3-bucket REDACTED \
--s3-bucket-owner REDACTED
{
"ExportDescription": {
"ExportArn": "arn:aws:dynamodb:REDACTED:REDACTED:table/REDACTED/export/REDACTED",
"ExportStatus": "IN_PROGRESS",
"StartTime": "2022-03-08T11:50:46.714000+00:00",
"TableArn": "arn:aws:dynamodb:REDACTED:REDACTED:table/REDACTED",
"TableId": "REDACTED",
"ExportTime": "2022-03-08T11:50:46.714000+00:00",
"ClientToken": "REDACTED",
"S3Bucket": "REDACTED",
"S3BucketOwner": "REDACTED",
"S3SseAlgorithm": "AES256",
"ExportFormat": "DYNAMODB_JSON"
}
}
[Container] 2022/03/08 11:50:46 Phase complete: BUILD State: SUCCEEDED
如果我从 AWS 控制台调用(即作为我的用户),我可以导出跨账户。但是使用 codebuild 和上面的命令,它失败了。
我缺少什么?
I've created a codebuild to run the following command.
aws dynamodb export-table-to-point-in-time \
--table-arn arn:aws:dynamodb:REDACTED:REDACTED:table/REDACTED \
--s3-bucket REDACTED \
--s3-bucket-owner REDACTED
I've also created a service-role and attached the following inline policy.
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::REDACTED/*",
"arn:aws:s3:::REDACTED"
]
}
Finally, I've updated the S3 bucket to allow the service-role to write to the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::REDACTED:role/service-role/REDACTED"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::REDACTED/*",
"arn:aws:s3:::REDACTED"
]
}
]
}
The codebuild invokes the command correctly, but the export fails because of permissions.
[Container] 2022/03/08 11:50:42 Running command aws dynamodb export-table-to-point-in-time \
--table-arn arn:aws:dynamodb:REDACTED:REDACTED:table/REDACTED \
--s3-bucket REDACTED \
--s3-bucket-owner REDACTED
{
"ExportDescription": {
"ExportArn": "arn:aws:dynamodb:REDACTED:REDACTED:table/REDACTED/export/REDACTED",
"ExportStatus": "IN_PROGRESS",
"StartTime": "2022-03-08T11:50:46.714000+00:00",
"TableArn": "arn:aws:dynamodb:REDACTED:REDACTED:table/REDACTED",
"TableId": "REDACTED",
"ExportTime": "2022-03-08T11:50:46.714000+00:00",
"ClientToken": "REDACTED",
"S3Bucket": "REDACTED",
"S3BucketOwner": "REDACTED",
"S3SseAlgorithm": "AES256",
"ExportFormat": "DYNAMODB_JSON"
}
}
[Container] 2022/03/08 11:50:46 Phase complete: BUILD State: SUCCEEDED
If I invoke from the AWS Console (i.e. as my user) I am able to export cross account. But using codebuild and the command above, it fails.
What am I missing?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我修好了这个。
问题是在
aws dynamodb export-table-to-point-in-timeCLI 命令中引用了错误的 accountId。I fixed this.
The issue was referencing the wrong accountId within the
aws dynamodb export-table-to-point-in-timeCLI command.