个人中心
gpt4 book ai didi

amazon-s3 - CloudFormation::Init 无法下载 S3 文件并拒绝访问

转载 作者:行者123 更新时间:2023-12-03 07:33:20 25 4
gpt4 key购买 nike

我正在尝试将文件从 S3 存储桶下载到 EC2 Windows 服务器上。我已设置 IAM 角色、策略和配置文件。在服务器的 CloudFormation::Init 部分,我有不同的配置集,其中之一是从存储桶下载文件。

--- Some items not shown ---
"Parameters": {
        "S3BucketName": {
            "Description": "The name of an existing S3 bucket that the server needs to access.",
            "Type": "String",
            "Default": "ccw-to-rds-poc-1"
        },
--- Some parameters not shown ---
"InstanceRole":{
         "Type":"AWS::IAM::Role",
         "Properties":{
            "AssumeRolePolicyDocument":{
               "Statement":[
                  {
                     "Effect":"Allow",
                     "Principal":{
                        "Service":[
                           "ec2.amazonaws.com"
                        ]
                     },
                     "Action":[
                        "sts:AssumeRole"
                     ]
                  }
               ]
            },
            "Path":"/"
         }
      },
      "RolePolicies":{
         "Type":"AWS::IAM::Policy",
         "Properties":{
            "PolicyName":"S3Download",
            "PolicyDocument":{
               "Statement":[
                  {
                     "Action":[
                        "s3:GetObject"
                     ],
                     "Effect":"Allow",
                     "Resource": {"Fn::Join": ["", ["arn:aws:s3:::", {"Ref": "S3BucketName"}]]}
                  }
               ]
            },
            "Roles":[
               {
                  "Ref":"InstanceRole"
               }
            ]
         }
      },
      "InstanceProfile":{
         "Type":"AWS::IAM::InstanceProfile",
         "Properties":{
            "Path":"/",
            "Roles":[
               {
                  "Ref":"InstanceRole"
               }
            ]
         }
      },
      "myAppServer": {
        "Type": "AWS::EC2::Instance",
        "Metadata": {
            "AWS::CloudFormation::Authentication": {
                "S3AccessCreds": {
                    "type": "S3",
                    "roleName": {
                        "Ref": "InstanceRole"
                    },
                    "buckets" : [{"Ref": "S3BucketName"}]
                }
            },
            "AWS::CloudFormation::Init": {
                "configSets": {
                    "downloadS3Data": ["downloadS3"],
                    "Full": [{"ConfigSet": "downloadS3Data"}, "fullServer"],
                    "default": [ {"ConfigSet": "Full"}],
                    "App": [{"ConfigSet": "downloadS3Data"}, "appServer"],
                    "Interface": [{"ConfigSet": "downloadS3Data"}, "interfaceServer"],
                    "Notification": [{"ConfigSet": "downloadS3Data"}, "notificationServer"]
                },
                "downloadS3": {
                    "files": {
                        "C:\\Users\\Administrator\\Documents\\s3download.bak": {
                            "source": "https://ccw-to-rds-poc-1.s3.us-east-2.amazonaws.com/test.txt",
                            "authentication": "S3AccessCreds"
                        }
                    }
                },
                "fullServer": {
                    "commands": {
                        "test": {
                            "command": "echo \"$MAGIC\"",
                            "env": {"MAGIC": "I am from the full server env"},
                            "cwd": "C:\\Users\\Administrator\\Desktop"
                        }
                    }
                },
                --- Some config sets not shown ---
            }
        },
        "Properties": {
            "IamInstanceProfile": {
                "Ref": "InstanceProfile"
            },
            "ImageId": "ami-012bb86d0081c5240",
            "InstanceType": "t2.small",
            "KeyName": {"Ref": "keypair"},
            "SecurityGroupIds": ["sg-0d0b50ca1774707b7"],
            "UserData" : {
                "Fn::Base64" : {
                    "Fn::Join" : [
                        "",
                        [
                            "<powershell>\n",
                                "cfn-init.exe -v -s ", {"Ref" : "AWS::StackId"}, " -r YourInstance -c ", {"Ref": "CCWServerType"} , " --region ", {"Ref" : "AWS::Region"}, "\n",
                            "</powershell>\n",
                            "<persist>true</persist>"
                        ]
                    ]
                }
            }

        }
    }

当服务器运行时"cfn-init.exe -v -s ", {"Ref": "AWS::StackId"}, "-r YourInstance -c ", {"Ref": "CCWServerType "} , "--region ", {"Ref": "AWS::Region"}, "\n",,

它创建了s3download.bak,但它是空的并且给出了“拒绝访问”(HTTP 错误 403)。是否有我对 IAM 配置执行不正确导致此问题的原因?

编辑:我认为这是因为我正在访问整个存储桶,而不仅仅是一个特定的项目,如 this article 中提到的那样这可能就是问题所在。但是,在尝试 "Action":["s3:*Object"]"Action":["s3.Get*"] 后,我仍然获得相同的访问权限拒绝错误。

最佳答案

问题出在我的 IAM 政策上。我将存储桶 ARN 指定为 s3:GetObject 操作的资源,但对于此操作,资源需要是对象。 See AWS S3 Docs

因此,我最终在 S3 ARN 的末尾添加了通配符,这样我就可以获取存储桶中的任何对象。

"资源": {"Fn::Join": ["", ["arn:aws:s3:::", {"Ref": "S3BucketName"}, "/*"]] }

关于amazon-s3 - CloudFormation::Init 无法下载 S3 文件并拒绝访问,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/74130647/

25 4 0
文章推荐: amazon-web-services - 如果存储桶存在,如何强制 CloudFormation 创建一个具有相似名称的新存储桶?
文章推荐: amazon-web-services - AWS - CloudFormation - MalformedPolicyDocument - SHARR
文章推荐: amazon-web-services - AWS云信息模板
文章推荐: amazon-web-services - 如何根据CloudFormation参数部分中的VPC过滤子网?
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com