AWS - 无法从 EC2 访问 S3 存储桶对象
[英]AWS - Unable to access S3 bucket object from EC2
问题描述
I am not sure if I am missing a step here or not.
我不确定我是否在这里遗漏了一步。
I have an s3 bucket I need to be able to access from an AWS SDK PHP script I wrote running on my EC2.我有一个 s3 存储桶,我需要能够从我编写的在 EC2 上运行的 AWS SDK PHP 脚本进行访问。 I created an IAM role to allow access.我创建了一个 IAM 角色以允许访问。
IAM Allow_S3_Access_to_EC2 IAM Allow_S3_Access_to_EC2
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::myinbox"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::myinbox/*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::myinbox/*"
}
]
}
And my Trust Relationship for the IAM role is我对 IAM 角色的信任关系是
Trust Relationship信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I then attached that IAM role to my EC2 instance.然后我将该 IAM 角色附加到我的 EC2 实例。 From what I have read this is all I have to do, but I think I need to do more.从我所读到的,这就是我所要做的,但我认为我需要做更多。
In my Bucket Policy I have the following to allow access from my SES to be able to create the email object.在我的存储桶策略中,我有以下内容允许从我的 SES 访问以创建电子邮件对象。
S3 Bucket Policy S3 存储桶策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSESPuts",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myinbox/*",
"Condition": {
"StringEquals": {
"aws:Referer": "************"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::************:role/Allow_S3_Access_to_EC2"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::myinbox",
"arn:aws:s3:::myinbox/*"
]
}
]
}
My Bucket Policy has nothing in there for my EC2 or even my IAM role I have attached.我的存储桶策略中没有我的 EC2 甚至我附加的 IAM 角色。 Do I need to add something to my Bucket Policy as well?我是否还需要在我的存储桶策略中添加一些内容? That is where I am confused.这就是我感到困惑的地方。
What I am experiencing is when a new object is created and I try and access that object from my AWS SDK PHP I get a "403" Forbidden.我遇到的是当创建一个新对象并且我尝试从我的 AWS SDK PHP 访问该对象时,我收到“403”禁止。 If I make that object public in the S3 console I can then access it just fine.如果我在 S3 控制台中公开该对象,我就可以很好地访问它。 So even though I have set permissions for my EC2 to access my S3 unless I make the object public I can't access it.因此,即使我已为 EC2 设置了访问 S3 的权限,除非我将对象设为公开,否则我无法访问它。
I even tried using wget to the object on the actual server through the terminal and I still get the 403 unless I make the object public我什至尝试通过终端对实际服务器上的对象使用wget ,但除非我将对象设为公开,否则我仍然会得到403
When I run the IAM Policy Simulator on my role I get当我在我的角色上运行 IAM 策略模拟器时,我得到
Here is my PHP这是我的 PHP
PHP Script PHP脚本
require '../aws-ses/aws-autoloader.php';
use Aws\S3\S3Client;
use Aws\S3\Exception\S3Exception;
$bucketName = 'myinbox';
try {
// Instantiate the client.
$s3 = new S3Client([
'version' => 'latest',
'region' => 'us-west-2',
'credentials' => array('key'=>'*********************',
'secret'=>'*******************************************')
]);
} catch (Exception $e) {
// We use a die, so if this fails. It stops here. Typically this is a REST call so this would
// return a json object.
die("Error: " . $e->getMessage());
}
// Use the high-level iterators (returns ALL of your objects).
$objects = $s3->getIterator('ListObjects', array('Bucket' => $bucketName));
2 个解决方案
解决方案1
0 2020-02-04 19:18:53
First, did you set up the trust relationship so that the EC2 service can assume that role?首先,您是否建立了信任关系,以便 EC2 服务可以承担该角色?
Next, you don't associate IAM roles directly with EC2 instances;接下来,您不要将 IAM 角色直接与 EC2 实例相关联; instead you need to use an Instance Profile.相反,您需要使用实例配置文件。 Did you set up an Instance Profile associated with that Role?您是否设置了与该角色关联的实例配置文件?
This document is a good start: https://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-create-iam-instance-profile.html本文档是一个好的开始: https : //docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-create-iam-instance-profile.html
解决方案2
0 2020-02-04 20:58:21
1) I would make sure that you're ec2 is using the role to call the s3, use the command below to identify 1)我会确保你是ec2正在使用角色来调用s3,使用下面的命令来识别
aws sts get-caller-identity
2) I would revoke existing sessions to make sure the new session has refreshed the roles 2)我会撤销现有会话以确保新会话刷新了角色
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html
3) use the S3 access analyzer to define the access resolving 3)使用S3访问分析器定义访问解析
https://docs.aws.amazon.com/AmazonS3/latest/user-guide/access-analyzer.html https://docs.aws.amazon.com/AmazonS3/latest/user-guide/access-analyzer.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.