如何使用CloudFormation模板从S3获取用于引导应用程序的文件,而无需启动具有角色的EC2实例?
[英]How to get file from S3 for bootstrapping application using CloudFormation template and without launching EC2 instances with a role?
问题描述
I need to download a file from S3 bucket which is a private location. 
我需要从S3存储桶下载一个文件,这是一个私有位置。 I have created an IAM Role using AWS Console - hence an have an IAM Profile which I assign to instances launched. 我使用AWS控制台创建了一个IAM角色 - 因此我有一个IAM配置文件,我将其分配给已启动的实例。 I can get the file from secure location by providing an Authentication Object in LaunchConfiguration. 我可以通过在LaunchConfiguration中提供身份验证对象来从安全位置获取文件。 This only works if the instance is launched with an IamInstanceProfile . 这仅在使用IamInstanceProfile启动实例时才有效。
"LaunchConfiguration":{
"Type":"AWS::AutoScaling::LaunchConfiguration",
"Metadata":{
"Comment":"Configure the Presentation Tier",
"AWS::CloudFormation::Authentication": {
"S3Access" : {
"type" : "S3",
"buckets":["demo-upload"],
"roleName": "MYS3ROLE"
}
},
"AWS::CloudFormation::Init":{
"config":{
"packages":{
"yum":{
"tomcat6": [],
"java-1.6.0-openjdk-devel" : [],
"tomcat6-webapps" :[],
"tomcat6-admin-webapps" :[],
"tomcat6-docs-webapp" :[],
"curl":[]
}
},
"files":{
"/var/lib/tomcat6/webapps/demo.war" : {
"source" : {"Ref":"WarLoc"},
"owner" : "tomcat",
"group" : "tomcat",
"authentication":"S3Access"
},
"/root/demo.war" : {
"source" : {"Ref":"WarLoc"},
"owner" : "root",
"group" : "root",
"authentication":"S3Access"
},
"/etc/cfn/cfn-hup.conf" : {
"content" : { "Fn::Join" : ["", [
"[main]\n",
"stack=", { "Ref" : "AWS::StackId" }, "\n",
"region=", { "Ref" : "AWS::Region" }, "\n",
"interval=1"
]]},
"mode" : "000400",
"owner" : "root",
"group" : "root"
},
"/etc/cfn/hooks.d/cfn-auto-reloader.conf" : {
"content": { "Fn::Join" : ["", [
"[cfn-auto-reloader-hook]\n",
"triggers=post.update\n",
"path=Resources.LaunchConfiguration.Metadata.AWS::CloudFormation::Init\n",
"action=/opt/aws/bin/cfn-init -s ", { "Ref" : "AWS::StackId" },
" -r LaunchConfiguration ",
" --region ", { "Ref" : "AWS::Region" }, "\n",
"runas=root\n"
]]}
}
},
"services" : {
"sysvinit" : {
"tomcat6":{
"files":["/var/lib/tomcat6/webapps/demo.war"],
"enabled": "true",
"ensureRunning":"true"
},
"cfn-hup":{
"files":["/etc/cfn/cfn-hup.conf","/etc/cfn/hooks.d/cfn-auto-reloader.conf"],
"enabled":"true",
"ensureRunning":"true"
}
}
}
}
}
},
"Properties":{
"ImageId" : { "Fn::FindInMap" : [ "AWSRegionArch2AMI", { "Ref" : "AWS::Region" }, { "Fn::FindInMap" : [ "AWSInstanceType2Arch", { "Ref" : "InstanceType" }, "Arch" ] } ] },
"SecurityGroups" : [ { "Ref" : "InstanceSecurityGroup" } ],
"InstanceType" : { "Ref" : "InstanceType" },
"InstanceMonitoring": "false",
"KeyName" : { "Ref" : "KeyName" },
"AssociatePublicIpAddress" : "true",
"IamInstanceProfile":"arn:aws:iam::MY_ACCOUNT_ID:instance-profile/MYS3ROLE",
"UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
"#!/bin/bash -v\n",
"yum update -y\n",
"# Install Presentation Software\n",
"/opt/aws/bin/cfn-init -s ", { "Ref" : "AWS::StackId" }, " -r LaunchConfiguration ",
" --region ", { "Ref" : "AWS::Region" }, "\n",
"service tomcat6 stop\n",
"rm -rf /var/lib/tomcat6/webapps/demo\n",
"sleep 3\n",
"service tomcat6 start\n",
"sleep 3\n",
"service tomcat6 restart\n",
"/opt/aws/bin/cfn-hup\n",
"/opt/aws/bin/cfn-signal -e $? -r \"Setup complete\" '", { "Ref" : "WaitHandle" }, "'\n"
]]}}
}
},
Can I download the files from S3 which is not public without having to launch the machine with an IamInstanceProfile . 我是否可以从S3下载不公开的文件,而无需使用IamInstanceProfile启动计算机。 ? ?
If I delete the the "IamInstanceProfile":"arn:aws:iam::MY_ACCOUNT_ID:instance-profile/s3access", then in /var/log/cfn-init.log I find the following lines, which I don't think would be because of Authentication Faiures 如果我删除了"IamInstanceProfile":"arn:aws:iam::MY_ACCOUNT_ID:instance-profile/s3access",那么在/var/log/cfn-init.log我找到以下行,我不认为将是因为身份验证失败
ToolError: Failed to retrieve https://s3-us-west-2.amazonaws.com/demo-upload/0.0.1/demo.war: [Errno 404] HTTP Error 404 : <?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>404 - Not Found</title>
</head>
<body>
<h1>404 - Not Found</h1>
</body>
</html>
When I launch the Instance with IamProfile everything runs fine. 当我使用IamProfile启动Instance时,一切运行正常。 So, is there a way to get the files - without scripts and storing credentials on machine - but not have instance launched with a role ? 那么,有没有办法获取文件 - 没有脚本和在机器上存储凭据 - 但没有用角色启动实例?
2 个解决方案
解决方案1
1 2014-02-26 14:14:48
IAM Instance profile is the cleanest way to get a private file from S3 to EC2. IAM实例配置文件是从S3到EC2获取私有文件的最简单方法。
Other options are (apart from keeping key in code - which is not good!): 其他选项是(除了保持密码 - 这不好!):
- Instance Metadata and User Data - Amazon Elastic Compute Cloud : http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AESDG-chapter-instancedata.html 实例元数据和用户数据 - Amazon Elastic Compute Cloud: http : //docs.aws.amazon.com/AWSEC2/latest/UserGuide/AESDG-chapter-instancedata.html
- Use a deployment service like Elastic Beanstalk or OpsWorks . 使用Elastic Beanstalk或OpsWorks等部署服务。 You can pass anything to the EC2s started this way. 您可以通过这种方式将任何内容传递给EC2。 In fact this is an easy way to manage clusters. 实际上,这是管理集群的简便方法。
解决方案2
1 2014-02-27 05:19:05
I don't know of a way to access S3 from an EC2 instance without credentials, but I do have an idea for you. 我不知道从没有凭据的EC2实例访问S3的方法,但我确实对你有所了解。
You can create your IAM Role inside your template, but without a policy (or an empty policy if semantics make you specify one).
您可以在模板中创建IAM角色,但没有策略(如果语义允许您指定一个策略,则可以使用空策略)。 Create an instance with this Role (You may need to make a WaitCondition).
使用此角色创建实例(您可能需要创建WaitCondition)。 After the instance has been created (you will need a WaitCondition), create an IAM Role Policy that has the permissions you need and which restricts access to the Instance's IP address.
创建实例后(您将需要WaitCondition),创建一个具有所需权限的IAM角色策略,该策略限制对Instance的IP地址的访问。 Have it attach to the Role you created. 将它附加到您创建的角色。
Your instance should have access to the resources it needs before it fully boots. 您的实例应该在完全启动之前访问所需的资源。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.