[英]AWS S3 Bucket Access from EC2
I need to fire up an S3 bucket so my EC2 instances have access to store image files to it.我需要启动一个 S3 存储桶,以便我的 EC2 实例可以访问将图像文件存储到它。 The EC2 instances need read/write permissions. EC2 实例需要读/写权限。 I do not want to make the S3 bucket publicly available, I only want the EC2 instances to have access to it.我不想让 S3 存储桶公开可用,我只希望 EC2 实例可以访问它。
The other gotcha is my EC2 instances are being managed by OpsWorks and I can have may different instances being fired up depending on load/usage.另一个问题是我的 EC2 实例由 OpsWorks 管理,我可能会根据负载/使用情况启动不同的实例。 If I were to restrict it by IP, I may not always know the IP the EC2 instances have.如果我通过 IP 对其进行限制,我可能并不总是知道 EC2 实例拥有的 IP。 Can I restrict by VPC?我可以通过 VPC 进行限制吗?
Do I have to make my S3 bucket enabled for static website hosting?我是否必须为静态网站托管启用我的 S3 存储桶? Do I need to make all files in the bucket public as well for this to work?我是否需要公开存储桶中的所有文件才能使其正常工作?
You do not need to make the bucket public readable, nor the files public readable.您不需要使存储桶公开可读,也不需要使文件公开可读。 The bucket and it's contents can be kept private.存储桶及其内容可以保密。
Don't restrict access to the bucket based on IP address, instead restrict it based on the IAM role the EC2 instance is using.不要根据 IP 地址限制对存储桶的访问,而是根据 EC2 实例使用的 IAM 角色来限制它。
For example:例如:
{
"Version": "2012-10-17",
"Statement":[{
"Effect": "Allow",
"Action": "s3:*",
"Resource": ["arn:aws:s3:::my_bucket",
"arn:aws:s3:::my_bucket/*"]
}
]
}
For example:例如:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::111122223333:role/my-ec2-role"]
},
"Action": "s3:*",
"Resource": ["arn:aws:s3:::my_bucket",
"arn:aws:s3:::my_bucket/*"]
}
]
}
Additional information: http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc其他信息: http : //blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc
This can be done very simply.这可以非常简单地完成。 Follow the following steps:请按照以下步骤操作:
When this is done, connect to the AWS instance and the rest will be done via the following CLI commands:完成后,连接到 AWS 实例,其余的将通过以下 CLI 命令完成:
Please note... the file location refers to the local address.请注意...文件位置是指本地地址。 And the bucketname is the name of your bucket. bucketname 是您的存储桶的名称。 Also note: This is possible if your instance and S3 bucket are in the same account.另请注意:如果您的实例和 S3 存储桶在同一个账户中,这是可能的。 Cheers.干杯。
IAM role is the solution for you. IAM 角色是适合您的解决方案。
You need create role with s3 access permission, if the ec2 instance was started without any role, you have to re-build it with that role assigned.您需要创建具有 s3 访问权限的角色,如果 ec2 实例在没有任何角色的情况下启动,则必须使用分配的角色重新构建它。
Refer: Allowing AWS OpsWorks to Act on Your Behalf请参阅: 允许 AWS OpsWorks 代表您采取行动
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.