Amazon-Web-Services

使用 CF::Init 通過 IAM 角色從我的 EC2 實例訪問 S3 儲存桶不起作用

  • April 12, 2016

我有一個用於設置 ECS 集群的 CloudFormation 模板,我正在嘗試使用 ASG 上的 CloudFormation::Init 將一些配置文件放到盒子上,並將它們從 S3 中拉出。

"ECSASGLaunchConfiguration": {
 "Type": "AWS::AutoScaling::LaunchConfiguration",
 "Metadata": {
   "AWS::CloudFormation::Authentication": {
     "S3AccessCreds": {
       "type": "S3",
       "roleName": {
         "Ref": "ECSEC2InstanceIAMRole"
       }
     }
   },
   "AWS::CloudFormation::Init": {
     "config": {
       "packages": {
       },
       "groups": {
       },
       "users": {
       },
       "sources": {
       },
       "files": {
         "/etc/dd-agent/conf.d/nginx.yaml": {
           "source": "https://s3.amazonaws.com/foobar/scratch/nginx.yaml",
           "mode": "000644",
           "owner": "root",
           "group": "root"
         },
         "/etc/dd-agent/conf.d/docker_daemon.yaml": {
           "source": "https://s3.amazonaws.com/foobar/scratch/docker_daemon.yaml",
           "mode": "000644",
           "owner": "root",
           "group": "root"
         }
       },
       "commands": {
       },
       "services": {
       }
     }
   }
 },

為此,我在為我的 EC2 實例創建的角色中添加了一個內聯策略,它應該允許從實例進行所有 S3 訪問。

"ECSEC2InstanceIAMRole": {
 "Type": "AWS::IAM::Role",
 "Properties": {
   "AssumeRolePolicyDocument": {
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "Service": [
             "ec2.amazonaws.com"
           ]
         },
         "Action": [
           "sts:AssumeRole"
         ]
       }
     ]
   },
   "ManagedPolicyArns": [
     "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role",
     "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
   ],
   "Path": "/",
   "Policies": [
     {
       "PolicyName": "otxS3access",
       "PolicyDocument": {
         "Version": "2012-10-17",
         "Statement": [
           {
             "Effect": "Allow",
             "Action": "s3:ListAllMyBuckets",
             "Resource": "arn:aws:s3:::*"
           },
           {
             "Effect": "Allow",
             "Action": [
               "s3:ListBucket",
               "s3:GetBucketLocation"
             ],
             "Resource": "arn:aws:s3:::foobar"
           },
           {
             "Effect": "Allow",
             "Action": [
               "s3:GetObject",
               "s3:PutObject",
               "s3:DeleteObject"
             ],
             "Resource": "arn:aws:s3:::foobar/*"
           }
         ]
       }
     }
   ]
 }
},
"ECSEC2InstanceIAMProfile": {
 "Type": "AWS::IAM::InstanceProfile",
 "Properties": {
   "Path": "/",
   "Roles": [
     {
       "Ref": "ECSEC2InstanceIAMRole"
     }
   ]
 }
},

但它不起作用。我在日誌中找不到錯誤(或其他任何內容)。當我手動嘗試從實例中捲曲它時,它也不起作用,“ AccessDenied…”

在這種情況下,儲存桶本身“foobar”除了不公開之外沒有任何特殊權限,只是標準帳戶名單一被授權者。

知道我做錯了什麼嗎?

我發現了問題。問題中的所有 CloudFormation 都很好,可以做它應該做的事情。問題在於我在 ASG 的啟動配置中設置的實例使用者數據中執行 cfn-init - 它不起作用,因此它沒有執行 init 內容。感謝@Rob-d,您的評論使我走上了通往可執行級別的道路。

使所有這些工作的神奇的另一部分:

   "UserData": {
     "Fn::Base64": {
       "Fn::Join": [
         "",
         [
           "#!/bin/bash\n",
           "cat > /etc/ecs/ecs.config <<EOF\n",
           "ECS_CLUSTER=",
           {
             "Ref": "ECSCluster"
           },
           "\n",
           "ECS_ENGINE_AUTH_TYPE=docker\n",
           "ECS_ENGINE_AUTH_DATA={REDACTED}\n",
           "EOF\n",
           "yum -y install aws-cfn-bootstrap\n",
           "# Install the files and packages from the metadata\n",
           "/opt/aws/bin/cfn-init -v ",
           "         --stack ",
           {
             "Ref": "AWS::StackName"
           },
           "         --resource ECSASGLaunchConfiguration ",
           "         --region ",
           {
             "Ref": "AWS::Region"
           },
           "\n",
           "/opt/aws/bin/cfn-signal -e -0 ",
           "         --stack ",
           {
             "Ref": "AWS::StackName"
           },
           "         --resource ECSAutoScalingGroup ",
           "         --region ",
           {
             "Ref": "AWS::Region"
           },
           "\n",
           "\n"
         ]
       ]
     }
   }

引用自:https://serverfault.com/questions/769069