Amazon-Web-Services
使用 CF::Init 通過 IAM 角色從我的 EC2 實例訪問 S3 儲存桶不起作用
我有一個用於設置 ECS 集群的 CloudFormation 模板,我正在嘗試使用 ASG 上的 CloudFormation::Init 將一些配置文件放到盒子上,並將它們從 S3 中拉出。
"ECSASGLaunchConfiguration": { "Type": "AWS::AutoScaling::LaunchConfiguration", "Metadata": { "AWS::CloudFormation::Authentication": { "S3AccessCreds": { "type": "S3", "roleName": { "Ref": "ECSEC2InstanceIAMRole" } } }, "AWS::CloudFormation::Init": { "config": { "packages": { }, "groups": { }, "users": { }, "sources": { }, "files": { "/etc/dd-agent/conf.d/nginx.yaml": { "source": "https://s3.amazonaws.com/foobar/scratch/nginx.yaml", "mode": "000644", "owner": "root", "group": "root" }, "/etc/dd-agent/conf.d/docker_daemon.yaml": { "source": "https://s3.amazonaws.com/foobar/scratch/docker_daemon.yaml", "mode": "000644", "owner": "root", "group": "root" } }, "commands": { }, "services": { } } } },為此,我在為我的 EC2 實例創建的角色中添加了一個內聯策略,它應該允許從實例進行所有 S3 訪問。
"ECSEC2InstanceIAMRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess" ], "Path": "/", "Policies": [ { "PolicyName": "otxS3access", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::foobar" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::foobar/*" } ] } } ] } }, "ECSEC2InstanceIAMProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Path": "/", "Roles": [ { "Ref": "ECSEC2InstanceIAMRole" } ] } },但它不起作用。我在日誌中找不到錯誤(或其他任何內容)。當我手動嘗試從實例中捲曲它時,它也不起作用,“
AccessDenied…”在這種情況下,儲存桶本身“foobar”除了不公開之外沒有任何特殊權限,只是標準帳戶名單一被授權者。
知道我做錯了什麼嗎?
我發現了問題。問題中的所有 CloudFormation 都很好,可以做它應該做的事情。問題在於我在 ASG 的啟動配置中設置的實例使用者數據中執行 cfn-init - 它不起作用,因此它沒有執行 init 內容。感謝@Rob-d,您的評論使我走上了通往可執行級別的道路。
使所有這些工作的神奇的另一部分:
"UserData": { "Fn::Base64": { "Fn::Join": [ "", [ "#!/bin/bash\n", "cat > /etc/ecs/ecs.config <<EOF\n", "ECS_CLUSTER=", { "Ref": "ECSCluster" }, "\n", "ECS_ENGINE_AUTH_TYPE=docker\n", "ECS_ENGINE_AUTH_DATA={REDACTED}\n", "EOF\n", "yum -y install aws-cfn-bootstrap\n", "# Install the files and packages from the metadata\n", "/opt/aws/bin/cfn-init -v ", " --stack ", { "Ref": "AWS::StackName" }, " --resource ECSASGLaunchConfiguration ", " --region ", { "Ref": "AWS::Region" }, "\n", "/opt/aws/bin/cfn-signal -e -0 ", " --stack ", { "Ref": "AWS::StackName" }, " --resource ECSAutoScalingGroup ", " --region ", { "Ref": "AWS::Region" }, "\n", "\n" ] ] } }