堆栈内存溢出
  简体   繁体   English

从 VPC 访问 S3 存储桶

[英]Access S3 bucket from VPC

 原文  2020-02-22 21:12:58       amazon-web-services/ amazon-s3

问题描述

I'm running a NodeJS script and using the aws-sdk package to write files to an S3 bucket.我正在运行 NodeJS 脚本并使用 aws-sdk 包将文件写入 S3 存储桶。 This works fine when I run the script locally, but not from a ECS Fargate service, that's when I get Error: AccessDenied: Access Denied .当我在本地运行脚本而不是从 ECS Fargate 服务运行脚本时,这很好用,那是我收到Error: AccessDenied: Access Denied

The service has the allowed VPC vpc-05dd973c0e64f7dbc .该服务具有允许的 VPC vpc-05dd973c0e64f7dbc I've tried adding an Internet Gateway to this VPC, and also an endpoint (as seen in the attached image) - but nothing resolves the Access Denied error.我已经尝试向该 VPC 添加一个 Internet 网关,以及一个端点(如附图所示) - 但没有解决访问被拒绝错误。 Any ideas what I'm missing here?任何想法我在这里失踪?

SOLVED: the problem was me misunderstanding aws:sourceVpce.已解决:问题是我误解了 aws:sourceVpce。 It requires the VPC endpoint id and not the VPC id.它需要 VPC 终端节点 ID 而不是 VPC ID。 ** **

Endpoint端点

端点

Internet Gateway互联网网关互联网网关

Bucket policy:桶策略:

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E3MKW5OAU5CHLI"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::mywebsite.com/*"
        },
        {
            "Sid": "Stmt1582486025157",
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::mywebsite.com/*",
            "Principal": "*",
            "Condition": {
                "StringEquals": {
                    "aws:sourceVpce": "vpc-05dd973c0e64f7dbc"
                }
            }
        }
    ]
}

1 个解决方案

解决方案1
 1 已采纳  2020-02-23 10:01:38

Please add an bucket policy that allows access from the VPC endpoint.请添加允许从 VPC 终端节点访问的存储桶策略。

Update your bucket policy with a condition, that allows users to access the S3 bucket when the request is from the VPC endpoint that you created.使用条件更新您的存储桶策略,当请求来自您创建的 VPC 终端节点时,该条件允许用户访问 S3 存储桶。 To white list those users to download objects, you can use a bucket policy that's similar to the following:要将这些用户列入白名单以下载对象,您可以使用类似于以下内容的存储桶策略:

Note: For the value of aws:sourceVpce , enter the VPC endpoint ID of the endpoint that you created.注意:对于aws:sourceVpce的值,输入您创建的终端节点的 VPC 终端节点 ID。

{
   "Version": "2012-10-17",
   "Id": "Policy1314555909999",
   "Statement": [
     {
       "Sid": "<<Access-to-specific-VPConly>>",
       "Principal": "*",
       "Action": "s3:GetObject",
       "Effect": "Allow",
       "Resource": ["arn:aws:s3:::awsexamplebucket/*"],
       "Condition": {
         "StringEquals": {
           "aws:sourceVpce": "vpce-1c2g3t4e"
         }
       }
     }
   ]
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 允许从特定VPC或控制台访问S3存储桶 - Allow S3 Bucket access from either specific VPC or console 限制S3存储桶对VPC的访问 - Restricting S3 bucket access to a VPC 当s3具有vpc限制时,从lambdaw访问s3存储桶 - access s3 bucket from lambdaw when s3 has vpc restriction 如何允许从不同区域上的特定VPC访问特定的S3存储桶 - How to allow access to specific S3 bucket from specific VPC on different region 如何配置通过 VPC 从 aws ec2 实例访问我的 aws s3 存储桶 - How to configure access to my aws s3 bucket from aws ec2 instance via VPC 无法从 VPC 内访问托管在 S3 存储桶上的静态网站 - Cannot access static website hosted on S3 bucket, from within VPC 如何在允许控制台访问的同时将 S3 存储桶的访问权限限制为特定 VPC - How to limit access to an S3 bucket to a specific VPC while allowing console access S3存储桶访问 - S3 bucket access 从R访问S3存储桶 - To access S3 bucket from R Jenkins拒绝了S3存取桶访问 - S3 bucket access denied from Jenkins
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM