我在.ebextensions文件夹中有一个简单的文件:
00 myconfig.config
Resources: AWSEBAutoScalingGroup: Metadata: AWS::CloudFormation::Authentication: S3Access: type: S3 roleName: aws-elasticbeanstalk-ec2-role buckets: my-bucket files: "/tmp/ca-bundle.zip": mode: "000755" owner: root group: root source: https://s3-ap-southeast-2.amazonaws.com/my-bucket/ca/ca-bundle.zip authentication: S3Access
根据多个答案是授予S3存储区访问aws-elasticbeanstalk-ec2-roleangular色的方式。
但是我继续在/var/log/eb-activity.log得到403错误
[2015-08-26T01:27:03.544Z] INFO [22320] - [Application update/AppDeployStage0/EbExtensionPreBuild/Infra-EmbeddedPreBuild] : Activity execution failed, because: Failed to retrieve https://s3-ap-southeast-2.amazonaws.com/my-bucket/ca/ca-bundle.zip: HTTP Error 403 : <?xml version="1.0" encoding="UTF-8"?> (ElasticBeanstalk::ExternalInvocationError)
如果我手动添加S3访问策略到aws-elasticbeanstalk-ec2-roleangular色一切正常,所以我知道我没有在URLS或任何其他的拼写错误,EC2实例是在正确的angular色。
哪里不对?
PS。 我试过或没有'身份validation'设置的files部分。
我已经知道了,我觉得有点傻,因为不尽快采取这种做法。
所以对于任何使用AWS::CloudFormation::Authenticationpath的人来说,解决scheme当然是:
确保你的BUCKET策略允许你的aws-elasticbeanstalk-ec2-role。 DOH !!
它应该看起来像这样:
{ "Id": "Policy1111Blah", "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1440Blah", "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::my-bucket/*", "Principal": { "AWS": [ "arn:aws:iam::11111111111:role/aws-elasticbeanstalk-ec2-role" ] } } ] }
您可以从IAM控制台抓取ARN。
您的.ebextensionsconfiguration文件中的说明仅告诉EB部署工具要使用什么来进行身份validation,但是您的源存储桶(如果明显是私密的)需要允许该主体访问权限!