授予 S3 对 EC2 实例的访问权限(最简单的情况)
我尝试使用最简单的情况以 aws documentation 。我创建了角色,分配给实例并重新启动实例。要交互式测试访问,我将登录到Windows实例并运行AWS S3API列表-Objects-Bucket TestBucket。我得到错误在调用ListObject操作时发生错误(访问):访问被拒绝。
下一个测试是创建.aws/凭据文件,并添加配置文件以假定角色。我修改了角色(分配给实例),并添加了许可以扮演帐户中任何用户的角色。当我运行相同的命令AWS S3API列表-Objects-Bucket testbucket -profile pabe_role 时,列出了对象。
这是我的测试角色信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"ssm.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
},
{
"Sid": "UserCanAssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": "111111111111"
},
"Action": "sts:AssumeRole"
}
]
}
角色只有一个许可“ amazons3fullaccess”。
当我在AWS控制台中切换角色时,我可以看到S3桶的内容(并且在AWS控制台中不允许其他操作)。
我的假设是EC2实例不承担角色。
如何查明问题在哪里?
I tried with simplest case following AWS documentation. I created role, assigned to instance and rebooted instance. To test access interactively, I logon to Windows instance and run aws s3api list-objects --bucket testbucket. I get error An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied.
Next test was to create .aws/credentials file and add profile to assume role. I modified role (assigned to instance) and added permission to assume role by any user in account. When I run same command aws s3api list-objects --bucket testbucket --profile assume_role, objects in bucket are listed.
Here is my test role Trust Relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"ssm.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
},
{
"Sid": "UserCanAssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": "111111111111"
},
"Action": "sts:AssumeRole"
}
]
}
Role has only one permission "AmazonS3FullAccess".
When I switch role in AWS console, I can see content of S3 bucket (and no other action is allowed in AWS console).
My assumption is that EC2 instance does not assume role.
How to pinpoint where is the problem?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
问题出在 Windows 代理上。
我检查了代理环境变量。没有设置。当我检查“控制面板”->“Internet 选项”时,我看到“代理”文本框显示代理的值,但未选中“使用代理”复选框。旁边是文字“您的某些设置由组织管理”。跳过代理已列出 169.254.169.254。
我在调试模式下运行命令,看到 CLI 连接到代理。无法访问 169.254.169.254 并且未设置凭据。当我显式设置环境变量
set NO_PROXY=169.254.169.254时,一切都开始工作。我不明白为什么 AWS CLI 使用 Windows 系统的代理。最糟糕的是,它使用代理但不检查绕过代理。吸取教训。 在调试模式下运行命令并验证输出。
Problem was with Windows proxy.
I checked proxy environment variables. None was set. When I checked Control Panel->Internet options I saw that Proxy text box shows value of proxy, but checkbox "Use proxy" was not checked. Next to it was text "Some of your settings are managed by organization." Skip proxy was having 169.254.169.254 listed.
I run command in debug mode and saw that CLI connects to proxy. Which cannot access 169.254.169.254 and no credentials are set. When I explicitly set environment variable
set NO_PROXY=169.254.169.254everything started to work.Why AWS CLI uses proxy from Windows system I do not understand. Worst of all, it uses proxy but does not check bypass proxy. Lesson learned. Run command in debug mode and verify output.