我有一个AWS Elastic Beanstalk Rails应用程序,通过configuration脚本来从S3存储桶中取出一些文件。 当我启动应用程序时,我一直在日志中收到以下错误( 存储桶名称已更改为安全 ):
Failed to retrieve https://s3.amazonaws.com/my.bucket/bootstrap.sh: HTTP Error 403 : <?xml version="1.0" encoding="UTF-8"?> <Error><Code>AccessDenied</Code><Message>Access Denied</Message>
configuration文件:
packages: yum: git: [] files: /opt/elasticbeanstalk/hooks/appdeploy/pre/01a_bootstrap.sh: mode: "00755" owner: root group: root source: https://s3.amazonaws.com/my.bucket/bootstrap.sh
Elastic Beanstalk环境使用aws-elasticbeanstalk-ec2-role IAMangular色设置,因为它是实例angular色。 这个angular色有以下政策:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": "arn:aws:s3:::my.bucket/*" } ] }
S3存储桶有以下策略:
{ "Version": "2008-10-17", "Statement": [ { "Sid": "Stmt1371012493903", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<account #>:role/aws-elasticbeanstalk-ec2-role" }, "Action": [ "s3:List*", "s3:Get*" ], "Resource": "arn:aws:s3:::my.bucket/*" } ] }
我需要更改哪些内容才能让我的EC2实例访问我的S3存储桶?
从您的EC2中,您还必须检索实例元数据中的临时凭证:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<your-iam-role-name>
然后,您将使用提供的访问密钥访问您的S3存储桶。