【发布时间】:2019-07-16 18:14:26
【问题描述】:
我正在尝试从 ElasticBeanstalk 部署的 EC2 实例访问我的 S3 存储桶之一。我的 EC2 实例属于 aws-elasticbeanstalk-ec2-role,我已通过 AmazonS3FullAccess 策略授予此角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
那么bucket策略如下:
"Version": "2008-10-17",
"Statement": [
{
"Sid": "eb-ad78f54a-f239-4c90-adda-49e5f56cb51e",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:role/aws-elasticbeanstalk-ec2-role"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::elasticbeanstalk-us-east-XXXXXX/resources/environments/logs/*"
},
{
"Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:role/aws-elasticbeanstalk-ec2-role"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX",
"arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX/resources/environments/*"
]
},
{
"Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX"
}
]
}
当我尝试从 SSH 连接或通过 .ebextensions 中的脚本访问存储桶时,我收到拒绝访问 403 错误。我尝试将文件公开并使用相同的命令,效果很好,但我需要的文件不能公开。
我认为我对存储桶和 EC2 角色都有正确的策略。不过我可能忘记了一些细节。
欢迎任何帮助。提前谢谢大家!
【问题讨论】:
-
您要访问存储桶中的哪个键?如果您使用该角色启动一个单独的 EC2 框并从命令行点击内容会发生什么?
-
@PhilipKendall 我刚刚试过你告诉我的。我已经使用该角色启动了一个 EC2 实例,当我执行命令
aws s3 ls s3:///s3.us-east-2.amazonaws.com/elasticbeanstalk-us-east-2-XXXX/时,它返回了同样的错误。我试过用其他桶的钥匙,我收到了同样的。我试图在存储桶中访问的密钥是/api/passport。谢谢!
标签: amazon-web-services amazon-s3 amazon-ec2 amazon-elastic-beanstalk permission-denied