主页 / user-35232

Ernest Mueller's questions

Martin Hope
Ernest Mueller
Asked: 2016-08-26 11:34:27 +0800 CST
  • 1

我有两个 Cloudformation 文件用于制作两个不同的堆栈,每个堆栈都包含一个 VPC。一个是管理 VPC,它将用于通过 ssh 访问另一个 VPC 以及所有这些,典型的堡垒用例。

我启动了管理 VPC,然后将其 ID 作为参数传递到第二个 CF 文件中,具体使用 VPC Id 类型:

"AdminVPC": {
  "Description": "ID of the admin VPC",
  "Type": "AWS::EC2::VPC::Id"
}

但是当我尝试设置 VPC 的网络 ACL 时,我正在做

"Type": "AWS::EC2::NetworkAclEntry",
  "Properties": {
    "CidrBlock": {
      "Fn::GetAtt": [
        {
          "Ref": "AdminVPC"
        },
        "CidrBlock"
      ]
    },

其中,当我运行 ecs cf validate 时,只产生消息

An error occurred (ValidationError) when calling the ValidateTemplate operation: Internal Failure

如果我只是在 CIDR 块中硬编码,它就可以正常工作

"CidrBlock": "0.0.0.0/0",

但是文档声称

  1. 使用 GetAtt 从 vpc ID 中获取 CIDR 块应该可以工作
  2. 对于 Fn::GetAtt 属性名称,您可以使用 Ref 函数。

所以我不确定这种用法有什么问题......

networking amazon-vpc amazon-cloudformation
Martin Hope
Ernest Mueller
Asked: 2016-04-09 07:03:29 +0800 CST
  • 2

我有一个用于设置 ECS 集群的 CloudFormation 模板,我正在尝试使用 ASG 上的 CloudFormation::Init 将一些配置文件放到盒子上,并将它们从 S3 中拉出。

"ECSASGLaunchConfiguration": {
  "Type": "AWS::AutoScaling::LaunchConfiguration",
  "Metadata": {
    "AWS::CloudFormation::Authentication": {
      "S3AccessCreds": {
        "type": "S3",
        "roleName": {
          "Ref": "ECSEC2InstanceIAMRole"
        }
      }
    },
    "AWS::CloudFormation::Init": {
      "config": {
        "packages": {
        },
        "groups": {
        },
        "users": {
        },
        "sources": {
        },
        "files": {
          "/etc/dd-agent/conf.d/nginx.yaml": {
            "source": "https://s3.amazonaws.com/foobar/scratch/nginx.yaml",
            "mode": "000644",
            "owner": "root",
            "group": "root"
          },
          "/etc/dd-agent/conf.d/docker_daemon.yaml": {
            "source": "https://s3.amazonaws.com/foobar/scratch/docker_daemon.yaml",
            "mode": "000644",
            "owner": "root",
            "group": "root"
          }
        },
        "commands": {
        },
        "services": {
        }
      }
    }
  },

为此,我在为我的 EC2 实例创建的角色中添加了一个内联策略,它应该允许从实例进行所有 S3 访问。

"ECSEC2InstanceIAMRole": {
  "Type": "AWS::IAM::Role",
  "Properties": {
    "AssumeRolePolicyDocument": {
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": [
              "ec2.amazonaws.com"
            ]
          },
          "Action": [
            "sts:AssumeRole"
          ]
        }
      ]
    },
    "ManagedPolicyArns": [
      "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role",
      "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
    ],
    "Path": "/",
    "Policies": [
      {
        "PolicyName": "otxS3access",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": "s3:ListAllMyBuckets",
              "Resource": "arn:aws:s3:::*"
            },
            {
              "Effect": "Allow",
              "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
              ],
              "Resource": "arn:aws:s3:::foobar"
            },
            {
              "Effect": "Allow",
              "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
              ],
              "Resource": "arn:aws:s3:::foobar/*"
            }
          ]
        }
      }
    ]
  }
},
"ECSEC2InstanceIAMProfile": {
  "Type": "AWS::IAM::InstanceProfile",
  "Properties": {
    "Path": "/",
    "Roles": [
      {
        "Ref": "ECSEC2InstanceIAMRole"
      }
    ]
  }
},

但它不起作用。我在日志中找不到错误(或其他任何内容)。当我手动尝试从实例中卷曲它时,它也不起作用,“ AccessDenied...”

在这种情况下,存储桶本身“foobar”除了不公开之外没有任何特殊权限,只是标准帐户名单一被授权者。

知道我做错了什么吗?

amazon-web-services