Bootstrap
登录 注册

将S3对象复制到另一个S3位置Elastic Beanstalk SSH设置错误

amazon-web-servicesamazon-s3amazon-elastic-beanstalkamazon-iam
发布时间:2020-07-06 07:46

尝试执行此操作时遇到此Elastic Beanstalk权限错误:

eb ssh --setup

2020-07-06 07:36:50    INFO    Environment update is starting.      
2020-07-06 07:36:53    ERROR   Service:Amazon S3, Message:You don't have permission to copy an Amazon S3 object to another S3 location. Source: bucket = 'tempsource', key = 'xxx'. Destination: bucket = 'tempdest', key = 'yyy'.
2020-07-06 07:36:53    ERROR   Failed to deploy configuration.

是否有应添加到IAM权限的特定策略?我尝试将完整的S3访问权限添加到我的IAM用户,但是错误仍然存​​在。还是权限错误与源存储桶相关?

更多详细信息:

两个存储桶都在同一个AWS账户中。复制操作不适用于AWS CLI复制命令。

存储桶配置文件

源存储桶

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXXXXXX:role/aws-elasticbeanstalk-ec2-role"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::SOURCE_BUCKET/*"
        },
        {
            "Sid": "Stmt2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXXXXXX:role/aws-elasticbeanstalk-ec2-role"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::SOURCE_BUCKET"
        }
    ]
}

目的地桶(elasticbeanstalk-us-west-2-XXXXXXXXXXXX)

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "eb-ad78f54a-f239-4c90-adda-49e5f56cb51e",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXXXXXX:role/aws-elasticbeanstalk-ec2-role"
            },
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::elasticbeanstalk-us-west-2-XXXXXXXXXXXX/*",
                "arn:aws:s3:::elasticbeanstalk-us-west-2-XXXXXXXXXXXX/resources/environments/logs/*"
            ]
        },
        {
            "Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXXXXXX:role/aws-elasticbeanstalk-ec2-role"
            },
            "Action": [
                "s3:ListBucket",
                "s3:ListBucketVersions",
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::elasticbeanstalk-us-west-2-XXXXXXXXXXXX",
                "arn:aws:s3:::elasticbeanstalk-us-west-2-XXXXXXXXXXXX/resources/environments/*"
            ]
        },
        {
            "Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:DeleteBucket",
            "Resource": "arn:aws:s3:::elasticbeanstalk-us-west-2-XXXXXXXXXXXX"
        }
    ]
}
回答1

我尝试将完整的S3访问权限添加到我的IAM用户,但是错误仍然存​​在。

该错误与您的IAM权限(即您的IAM用户)无关。但是有关EB正在使用您的实例的角色(即实例角色/配置文件):

aws-elasticbeanstalk-ec2-role中的实例上使用的默认角色。因此,您可以在IAM控制台中找到它,并添加所需的S3权限。根据您的设置,您可能会使用不同的角色。

还是权限错误与源存储桶相关?

如果您有拒绝访问的存储桶策略,也可能是原因。

amazon-web-services 相关推荐
amazon-s3 相关推荐
amazon-elastic-beanstalk 相关推荐
amazon-iam 相关推荐