如何让 VPC 端点在 Docker 容器中工作?
Posted
技术标签:
【中文标题】如何让 VPC 端点在 Docker 容器中工作?【英文标题】:How do you get a VPC Endpoint to work in a Docker container? 【发布时间】:2017-04-15 01:18:36 【问题描述】:我无法让 AWS CLI 从 Docker 容器中的 S3 下载文本文件。有一个 VPC 设置,其 VPC 端点已在 S3 政策中获得批准:
"Version": "2012-10-17",
"Statement": [
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::secret-store/*",
"Condition":
"StringNotEquals":
"s3:x-amz-server-side-encryption": "AES256"
,
"Sid": " DenyUnEncryptedInflightOperations",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::secret-store/*",
"Condition":
"Bool":
"aws:SecureTransport": "false"
,
"Sid": "Access-to-specific-VPCE-only",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::secret-store/*",
"Condition":
"StringNotEquals":
"aws:sourceVpce": "vpce-de7893b7"
]
我正在使用安装 AWS CLI 并调用入口点脚本的 Dockerfile:
FROM java:8
RUN apt-get update && \
apt-get -y install python curl unzip && cd /tmp && \
curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" \
-o "awscli-bundle.zip" && \
unzip awscli-bundle.zip && \
./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws && \
rm awscli-bundle.zip && rm -rf awscli-bundle
COPY entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
入口点脚本设置 AWS CLI 配置文件并调用 aws s3 cp s3://bucket/file.txt -
:
#!/bin/bash
mkdir ~/.aws
echo '[default]
aws_access_key_id=
aws_secret_access_key=
output=json
region=us-west-2' > ~/.aws/config
aws --version
aws s3 cp s3://secret-store/test.txt -
当我从 EC2 CLI 运行入口点脚本时,我得到了预期的授权响应:
[ec2-user@ip-10-0-1-86 ~]$ ./entrypoint.sh
mkdir: cannot create directory ‘/home/ec2-user/.aws’: File exists
aws-cli/1.11.22 Python/2.7.5 Linux/3.10.0-514.el7.x86_64 botocore/1.4.79
Hello secure VPC world!
但是,当我在同一主机上从 Docker 映像运行相同的脚本时,我得到了 download failed (Forbidden)
错误:
[ec2-user@ip-10-0-1-86 ~]$ docker build . -t test && docker run test
Sending build context to Docker daemon 15.89 MB
Step 1 : FROM java:8
---> 861e95c114d6
Step 2 : RUN apt-get update && apt-get -y install python curl unzip && cd /tmp && curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip" && unzip awscli-bundle.zip && ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws && rm awscli-bundle.zip && rm -rf awscli-bundle
---> Using cache
---> c948b9caeaae
Step 3 : COPY entrypoint.sh /entrypoint.sh
---> Using cache
---> 9c1774cc5d57
Step 4 : ENTRYPOINT /entrypoint.sh
---> Running in 98179b1b7172
---> d8f12456a198
Removing intermediate container 98179b1b7172
Successfully built d8f12456a198
aws-cli/1.11.22 Python/2.7.9 Linux/3.10.0-514.el7.x86_64 botocore/1.4.79
download failed: s3://secret-store/test.txt to - An error occurred (403) when calling the HeadObject operation: Forbidden
任何人都知道为什么我在一个运行在同一主机上的 docker 容器中得到一个 Forbidden 响应吗?
【问题讨论】:
【参考方案1】:如果您有 S3 的 VPC 终端节点,则需要终端节点策略以允许访问 docker hub 使用的 S3 存储桶。
即:
"Version": "...",
"Id": "...",
"Statement": [
"Sid": "stmtAllowDockerImages",
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": [
"arn:aws:s3:::docker-images-prod",
"arn:aws:s3:::docker-images-prod/*"
]
]
【讨论】:
【参考方案2】:VPC 端点使用内部地址,因此如果您的构建容器正在解析外部 s3 端点,则该政策将不适用。 Docker 构建应该只使用桥接网络,但您可以在 Dockerfile 中添加一个 nslookup 调试行,并与它工作的主机上的相同命令进行比较。
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html
【讨论】:
能否请您解释一下具体如何解决这个问题(无法从容器内部访问 s3-endpoint)?以上是关于如何让 VPC 端点在 Docker 容器中工作?的主要内容,如果未能解决你的问题,请参考以下文章
如何让 MSSQL 服务容器在 Azure DevOps 管道中工作?
如何让“Pointermove”委托在父母/孩子的Safari iOS中工作?
如何将单个 WCF 服务配置为具有多个 HTTP 和 HTTPS 端点?