无法使用IAM角色凭据使用Python将文件上传到S3
[英]Unable to upload file to S3 with Python using IAM role credentials
问题描述
The following resolved issues allow me to unload, copy, run queries, create tables, etc in Redshift: Redshift create table not working via Python and Unload to S3 with Python using IAM Role credentials . 
以下已解决的问题使我可以在Redshift中卸载,复制,运行查询,创建表等: Redshift创建表无法通过Python工作,并使用IAM角色凭据 通过Python 卸载到S3 。 Note that there is no dependency on Boto3 even though I am succesfully writing to and copying from S3 via Redshift. 请注意,即使我通过Redshift成功写入S3并从S3复制,也不依赖Boto3。
I would like to be able to upload a file to S3 dynamically, in Python (from cwd)- however I don't seem to find documentation or examples of how it is possible to do using iam_role 'arn:aws:iam:<aws-account-id>:role/<role_name> rather than access and secret keys as per http://boto3.readthedocs.io/en/latest/guide/quickstart.html . 我希望能够使用Python(从cwd)动态地将文件上传到S3,但是我似乎找不到文档或如何使用iam_role 'arn:aws:iam:<aws-account-id>:role/<role_name>而不是按照http://boto3.readthedocs.io/zh-CN/latest/guide/quickstart.html进行访问和使用秘密密钥。
Any help is greatly appreciated. 任何帮助是极大的赞赏。 This is what I have right now, and it throws an error of Unable to locate credentials : 这就是我现在所拥有的,并且抛出错误: Unable to locate credentials :
import boto3
#Input parameters for s3 buckets and s3 credentials
bucket_name = ''
bucket_key = ''
filename_for_csv = 'output.csv'
#Moving file to S3
s3 = boto3.resource('s3')
data = open(filename_for_csv, 'rb')
s3.Bucket(bucket_name).put_object(Key=bucket_key, Body=data, ServerSideEncryption='AES256')
2 个解决方案
解决方案1
0 2018-01-16 18:31:43
If you are running this script from an EC2 instance, attach an IAM role to the instance. 如果您是从EC2实例运行此脚本,则将IAM角色附加到该实例。 The IAM role should contain the following policy (in addition to what you already have). IAM角色(除了已经拥有的策略之外)还应包含以下策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement1",
"Effect": "Allow",
"Action": ["s3:PutObject"],
"Resource": "arn:aws:s3:::examplebucket/*"
}
]
}
If you are not running this script in an EC2 instance, you need to use the access and secret keys. 如果您不在EC2实例中运行此脚本,则需要使用访问密钥和秘密密钥。
解决方案2
0 已采纳 2018-01-16 19:04:38
You will need AWS IAM Access Keys. 您将需要AWS IAM访问密钥。
The issue for you is that you need access keys in order to call STS (Security Token Service) which then can process AssumeRole() with your role ARN which then generates new temporary access keys. 您遇到的问题是,您需要访问密钥才能调用STS(安全令牌服务),然后可以使用您的角色ARN处理AssumeRole(),然后生成新的临时访问密钥。
However, if you have access keys then you do not need to use AssumeRole(). 但是,如果您具有访问键,则无需使用AssumeRole()。
If your machine is outside of AWS, then you will need to use access keys, or an authentication / authorization service like Cognito. 如果您的计算机不在AWS之外,那么您将需要使用访问密钥或Cognito之类的身份验证/授权服务。
IAM Roles are designed for services, such as Redshift, EC2, etc which have permission to call STS with your role ARN to generate new temporary access keys. IAM角色是为服务(例如Redshift,EC2等)设计的,这些服务有权使用您的角色ARN调用STS以生成新的临时访问密钥。 Roles are not designed to be called outside of AWS (there are exceptions, such as Cognito). 角色并非设计为在AWS外部调用(存在例外,例如Cognito)。
[Edit after new comment] [在新评论后编辑]
You have several solutions: 您有几种解决方案:
- Signed URLs. 签名的URL。 Assign the role to EC2. 将角色分配给EC2。 Then have EC2 create signed URLs that you can use locally to upload files to S3. 然后让EC2创建签名的URL,您可以在本地使用这些URL将文件上传到S3。 This keeps the access keys off your system. 这样可以将访问密钥保留在系统之外。
- Use Cognito. 使用Cognito。 Cognito is easy to work with and there are lots of code examples on the Internet. Cognito易于使用,并且Internet上有很多代码示例。 Cognito will provide authentication, authorization and temporary credentials for you. Cognito将为您提供身份验证,授权和临时凭证。
- Assign your role to EC2 so that EC2 can upload to S3. 将您的角色分配给EC2,以便EC2可以上载到S3。 Then you have the issue of getting the file to EC2 and paying for the extra bandwidth (EC2 -> S3). 然后,您遇到了将文件获取到EC2并支付额外带宽的问题(EC2-> S3)。 You can use SSH and SCP to copy files securely to EC2 and then launch a process to copy to S3. 您可以使用SSH和SCP将文件安全地复制到EC2,然后启动一个过程以复制到S3。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.