Elastic Beanstalk 拒绝 AWS S3 存储权限
Posted
技术标签:
【中文标题】Elastic Beanstalk 拒绝 AWS S3 存储权限【英文标题】:AWS S3 storage permission denied from Elastic Beanstalk 【发布时间】:2019-07-16 18:14:26 【问题描述】:我正在尝试从 ElasticBeanstalk 部署的 EC2 实例访问我的 S3 存储桶之一。我的 EC2 实例属于 aws-elasticbeanstalk-ec2-role,我已通过 AmazonS3FullAccess 策略授予此角色:
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
]
那么bucket策略如下:
"Version": "2008-10-17",
"Statement": [
"Sid": "eb-ad78f54a-f239-4c90-adda-49e5f56cb51e",
"Effect": "Allow",
"Principal":
"AWS": "arn:aws:iam::XXXXXX:role/aws-elasticbeanstalk-ec2-role"
,
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::elasticbeanstalk-us-east-XXXXXX/resources/environments/logs/*"
,
"Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
"Effect": "Allow",
"Principal":
"AWS": "arn:aws:iam::XXXXXX:role/aws-elasticbeanstalk-ec2-role"
,
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX",
"arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX/resources/environments/*"
]
,
"Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
"Effect": "Deny",
"Principal":
"AWS": "*"
,
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX"
]
当我尝试从 SSH 连接或通过 .ebextensions 中的脚本访问存储桶时,我收到拒绝访问 403 错误。我尝试将文件公开并使用相同的命令,效果很好,但我需要的文件不能公开。
我认为我对存储桶和 EC2 角色都有正确的策略。不过我可能忘记了一些细节。
欢迎任何帮助。提前谢谢大家!
【问题讨论】:
您要访问存储桶中的哪个键?如果您使用该角色启动一个单独的 EC2 框并从命令行点击内容会发生什么? @PhilipKendall 我刚刚试过你告诉我的。我已经使用该角色启动了一个 EC2 实例,当我执行命令aws s3 ls s3:///s3.us-east-2.amazonaws.com/elasticbeanstalk-us-east-2-XXXX/ 时,它返回了同样的错误。我试过用其他桶的钥匙,我收到了同样的。我试图在存储桶中访问的密钥是/api/passport。谢谢!
【参考方案1】:
因此,根据我的知识和我之前遇到的问题,您的存储桶策略不正确。 它无效,因为 ListBucket 和 ListBucketVersions 操作必须应用于存储桶名称,而不是前缀。
这是我应该有效的更正政策;
"Version": "2008-10-17",
"Statement": [
"Sid": "eb-ad78f54a-f239-4c90-adda-49e5f56cb51e",
"Effect": "Allow",
"Principal":
"AWS": "arn:aws:iam::XXXXXX:role/aws-elasticbeanstalk-ec2-role"
,
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-XXXXXX/resources/environments/logs/*",
"arn:aws:s3:::elasticbeanstalk-us-east-XXXXXX/resources/environments/logs"
]
,
"Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
"Effect": "Allow",
"Principal":
"AWS": "arn:aws:iam::XXXXXX:role/aws-elasticbeanstalk-ec2-role"
,
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX/resources/environments",
"arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX/resources/environments/*"
]
,
"Sid": "eb-af163bf3-d27b-4712-b795-anything",
"Effect": "Allow",
"Principal":
"AWS": "arn:aws:iam::XXXXXX:role/aws-elasticbeanstalk-ec2-role"
,
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX"
]
,
"Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
"Effect": "Deny",
"Principal":
"AWS": "*"
,
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX"
]
未来可参考的有用文档 -> AWS s3 docs
【讨论】:
以上是关于Elastic Beanstalk 拒绝 AWS S3 存储权限的主要内容,如果未能解决你的问题,请参考以下文章
为什么Elastic Beanstalk负载均衡器拒绝建立SSL连接?
来自 AWS Elastic Beanstalk 的 Mime 类型错误
如何调试失败的NetCore AWS Elastic Beanstalk部署?
如何在删除空S3 Elastic Beanstalk时修复“拒绝访问”?
Elastic BeanStalk 节点 Js/Angular 部署问题
Amazon Elastic BeanStalk 错误:无法创建 AWS Elastic Beanstalk 应用程序版本