主页 / server / 问题 / 769069
Accepted
Ernest Mueller
Asked: 2016-04-09 07:03:29 +0800 CST

使用 CF::Init 通过 IAM 角色从我的 EC2 实例访问 S3 存储桶不起作用

  • 772

我有一个用于设置 ECS 集群的 CloudFormation 模板,我正在尝试使用 ASG 上的 CloudFormation::Init 将一些配置文件放到盒子上,并将它们从 S3 中拉出。

"ECSASGLaunchConfiguration": {
  "Type": "AWS::AutoScaling::LaunchConfiguration",
  "Metadata": {
    "AWS::CloudFormation::Authentication": {
      "S3AccessCreds": {
        "type": "S3",
        "roleName": {
          "Ref": "ECSEC2InstanceIAMRole"
        }
      }
    },
    "AWS::CloudFormation::Init": {
      "config": {
        "packages": {
        },
        "groups": {
        },
        "users": {
        },
        "sources": {
        },
        "files": {
          "/etc/dd-agent/conf.d/nginx.yaml": {
            "source": "https://s3.amazonaws.com/foobar/scratch/nginx.yaml",
            "mode": "000644",
            "owner": "root",
            "group": "root"
          },
          "/etc/dd-agent/conf.d/docker_daemon.yaml": {
            "source": "https://s3.amazonaws.com/foobar/scratch/docker_daemon.yaml",
            "mode": "000644",
            "owner": "root",
            "group": "root"
          }
        },
        "commands": {
        },
        "services": {
        }
      }
    }
  },

为此,我在为我的 EC2 实例创建的角色中添加了一个内联策略,它应该允许从实例进行所有 S3 访问。

"ECSEC2InstanceIAMRole": {
  "Type": "AWS::IAM::Role",
  "Properties": {
    "AssumeRolePolicyDocument": {
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": [
              "ec2.amazonaws.com"
            ]
          },
          "Action": [
            "sts:AssumeRole"
          ]
        }
      ]
    },
    "ManagedPolicyArns": [
      "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role",
      "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
    ],
    "Path": "/",
    "Policies": [
      {
        "PolicyName": "otxS3access",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": "s3:ListAllMyBuckets",
              "Resource": "arn:aws:s3:::*"
            },
            {
              "Effect": "Allow",
              "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
              ],
              "Resource": "arn:aws:s3:::foobar"
            },
            {
              "Effect": "Allow",
              "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
              ],
              "Resource": "arn:aws:s3:::foobar/*"
            }
          ]
        }
      }
    ]
  }
},
"ECSEC2InstanceIAMProfile": {
  "Type": "AWS::IAM::InstanceProfile",
  "Properties": {
    "Path": "/",
    "Roles": [
      {
        "Ref": "ECSEC2InstanceIAMRole"
      }
    ]
  }
},

但它不起作用。我在日志中找不到错误(或其他任何内容)。当我手动尝试从实例中卷曲它时,它也不起作用,“ AccessDenied...”

在这种情况下,存储桶本身“foobar”除了不公开之外没有任何特殊权限,只是标准帐户名单一被授权者。

知道我做错了什么吗?

amazon-web-services

1 个回答

  1. Best Answer

    我发现了问题。问题中的所有 CloudFormation 都很好,可以做它应该做的事情。问题在于我在 ASG 的启动配置中设置的实例用户数据中运行 cfn-init - 它不起作用,因此它没有执行 init 内容。感谢@Rob-d,您的评论使我走上了通往可执行级别的道路。

    使所有这些工作的神奇的另一部分:

        "UserData": {
      "Fn::Base64": {
        "Fn::Join": [
          "",
          [
            "#!/bin/bash\n",
            "cat > /etc/ecs/ecs.config <<EOF\n",
            "ECS_CLUSTER=",
            {
              "Ref": "ECSCluster"
            },
            "\n",
            "ECS_ENGINE_AUTH_TYPE=docker\n",
            "ECS_ENGINE_AUTH_DATA={REDACTED}\n",
            "EOF\n",
            "yum -y install aws-cfn-bootstrap\n",
            "# Install the files and packages from the metadata\n",
            "/opt/aws/bin/cfn-init -v ",
            "         --stack ",
            {
              "Ref": "AWS::StackName"
            },
            "         --resource ECSASGLaunchConfiguration ",
            "         --region ",
            {
              "Ref": "AWS::Region"
            },
            "\n",
            "/opt/aws/bin/cfn-signal -e -0 ",
            "         --stack ",
            {
              "Ref": "AWS::StackName"
            },
            "         --resource ECSAutoScalingGroup ",
            "         --region ",
            {
              "Ref": "AWS::Region"
            },
            "\n",
            "\n"
          ]
        ]
      }
    }
    • 1

相关问题