[英]Cannot access s3 from application running on EKS EC2 instance, IAM assume role permissions issue
[英]AWS Data Pipeline: Issue with permissions S3 Access for IAM role
我正在使用 AWS Data Pipeline 中的將Load S3 data into RDS MySql table
模板來將 csv 從 S3 存儲桶導入我們的 RDS MySql。 但是我(作為具有完全管理員權限的 IAM 用戶)遇到了一個我無法解決的警告:
對象:Ec2Instance - 警告:無法驗證角色的 S3 訪問權限。 請確保角色 ('DataPipelineDefaultRole') 具有 DataPipeline 的 s3:Get*、s3:List*、s3:Put* 和 sts:AssumeRole 權限。
Google 告訴我不要使用DataPipelineDefaultRole
和DataPipelineDefaultResourceRole
的默認策略。 根據AWS 數據管道的IAM 角色文檔和此 AWS 支持論壇上的主題,我使用了內聯策略並編輯了兩個角色的信任關系。
策略DataPipelineDefaultRole
:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"datapipeline:DescribeObjects",
"datapipeline:EvaluateExpression",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:UpdateTable",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CancelSpotInstanceRequests",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:Describe*",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:RequestSpotInstances",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DetachNetworkInterface",
"elasticmapreduce:*",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListInstanceProfiles",
"iam:PassRole",
"rds:DescribeDBInstances",
"rds:DescribeDBSecurityGroups",
"redshift:DescribeClusters",
"redshift:DescribeClusterSecurityGroups",
"s3:CreateBucket",
"s3:DeleteObject",
"s3:Get*",
"s3:List*",
"s3:Put*",
"sdb:BatchPutAttributes",
"sdb:Select*",
"sns:GetTopicAttributes",
"sns:ListTopics",
"sns:Publish",
"sns:Subscribe",
"sns:Unsubscribe",
"sqs:CreateQueue",
"sqs:Delete*",
"sqs:GetQueue*",
"sqs:PurgeQueue",
"sqs:ReceiveMessage"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": [
"elasticmapreduce.amazonaws.com",
"spot.amazonaws.com"
]
}
}
}
]
}
信任關系DataPipelineDefaultRole
:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"elasticmapreduce.amazonaws.com",
"datapipeline.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
策略DataPipelineDefaultResourceRole
:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"datapipeline:*",
"dynamodb:*",
"ec2:Describe*",
"elasticmapreduce:AddJobFlowSteps",
"elasticmapreduce:Describe*",
"elasticmapreduce:ListInstance*",
"rds:Describe*",
"redshift:DescribeClusters",
"redshift:DescribeClusterSecurityGroups",
"s3:*",
"sdb:*",
"sns:*",
"sqs:*"
],
"Resource": [
"*"
]
}
]
}
信任關系DataPipelineDefaultResourceRole
:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
我嘗試了幾個選項/組合,但警告仍然存在。 有沒有人知道如何解決這個權限問題?
我認為您的政策和角色的定義方式沒有任何問題。 這一切看起來都不錯。 我唯一能想到的是你在定義角色后創建管道的速度有多快?
請記住, IAM 策略是全球性的,而數據管道存在於特定區域,因此在創建策略/角色和創建數據管道之間給它一些睡眠時間,AWS 需要時間在所有區域復制 IAM 策略更改。
Ex. if you are using bash aws-cli to create/update role & then create/activate data-pipeline, insert `sleep Xs` between role & datapipeline creation.
挑剔你不需要ec2.amazonaws.com
信任關系DataPipelineDefaultRole
。
我回答這個問題可能有點晚了,但我剛剛發現您看到的警告消息可能具有誤導性。 如果您將管道配置為將日志放入 S3 存儲桶,並且您僅指定存儲桶的根而不是路徑,則會出現警告。 例如,如果我將配置字段“Pipeline Log Uri”(我在默認配置中找到的)設置為s3://bucket-name/
然后我會看到警告。 另一方面,如果我指定一個路徑,例如s3://bucket-name/logs
,警告就會消失。
AWS 論壇中的以下主題對解決此問題非常有幫助: https : //forums.aws.amazon.com/thread.jspa?threadID=164635 。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.