[英]PHP SDK Cannot get AWS Credentials on EC2 Instance with IAM Role attached
Simple question. 简单的问题。 But cannot get it to work. 但是无法使其正常工作。
I created an IAM Role for EC2 with full access to CloudWatch. 我为EC2创建了一个IAM角色,可以完全访问CloudWatch。 I launched a new EC2 instance with this IAM Role attached. 我启动了一个新的带有此IAM角色的EC2实例。 I wrote a simple PHP application on this EC2 instance which tries to publish metrics to CloudWatch. 我在此EC2实例上编写了一个简单的PHP应用程序,试图将指标发布到CloudWatch。
I am getting this error in nginx logs: 我在Nginx日志中收到此错误:
2017/08/23 11:44:06 [error] 32142#32142: *5 FastCGI sent in stderr:
"PHP message: PHP Fatal error:
Uncaught Aws\Exception\CredentialsException:
Cannot read credentials from /var/www/.aws/credentials
in /var/www/app/vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php:394
From that same EC2 instance, the command: 在同一EC2实例中,命令:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-attached-to-ec2-instance>
returns 200 OK with the Access Key and Secret in the response. 返回200 OK,并在响应中带有访问密钥和秘密。
This is my PHP code that tries to write CloudWatch metrics: 这是我的PHP代码,试图编写CloudWatch指标:
<?php
require 'vendor/autoload.php';
use Aws\CloudWatch\CloudWatchClient;
use Aws\Exception\AwsException;
$count = $_GET["count"];
publishMetric($count);
function publishMetric($count) {
$client = new CloudWatchClient([
'profile' => 'default',
'region' => 'us-east-1',
'version' => '2010-08-01'
]);
try {
$result = $client->putMetricData(array(
'Namespace' => 'com.mynamespace',
'MetricData' => array(
array(
'MetricName' => 'Count',
//Timestamp : mixed type: string (date format)|int (unix timestamp)|\DateTime
'Timestamp' => time(),
'Value' => $count,
'Unit' => 'Number'
)
)
));
var_dump($result);
echo 'Done publishing metrics';
} catch (AwsException $e) {
// output error message if fails
error_log($e->getMessage());
echo 'Failure to publish metrics';
}
}
?>
Any idea what is missing in this setup? 知道此设置中缺少什么吗?
Authentication of EC2 instance while accessing other AWS Services can be done in multiple ways: 访问其他AWS服务时,可以通过多种方式对EC2实例进行身份验证:
Both these are independent authentication mechanism. 两者都是独立的身份验证机制。 If you have already assigned role to your server; 如果您已经为服务器分配了角色; you do not have to write any code in your application (CredentialProvider.php) to authenticate. 您不必在应用程序(CredentialProvider.php)中编写任何代码即可进行身份验证。
Your current code can also be worked by creating a file /var/www/.aws/credentials which will look something like this: 您还可以通过创建文件/var/www/.aws/credentials来工作当前代码,该文件如下所示:
accessKey=AKIAIB6FA52IMGLREIIB
secretKey=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
I know this is late. 我知道这晚了。 I had the same issue and resolved it by removing profile => default
line while initializing the client. 我遇到了同样的问题,并通过在初始化客户端时删除profile => default
行来解决此问题。 If you do not provide credentials and profile, SDK will try to retrieve instance profile creds from metadata server. 如果您不提供凭据和配置文件,SDK将尝试从元数据服务器检索实例配置文件凭据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.