我正在尝试在我的Amazon Linux中下载AWS Codedeploy代理文件。我按照http://docs.aws.amazon.com/codedeploy/latest/userguide/how-to-run-agent.html中提到的说明,对于Amazon Linux,创建了适当的实例配置文件,服务角色等。一切都是最新的(Amazon Linux,CLI Packages,它是一个全新的实例,我至少试过这个3个具有相同结果的全新实例)。所有实例都有完整的出站互联网访问权限。
但是下面从S3下载安装的声明总是失败,
aws s3 cp s3://aws-codedeploy-us-east-1/latest/install . --region us-east-1
有错误, 调用HeadObject操作时发生客户端错误(403):禁止 已完成1个部分,其中包含......文件
任何人都可以帮我解决这个错误吗?
答案 0 :(得分:17)
我找出了问题,根据IAM实例配置文件的Codedeploy文档
http://docs.aws.amazon.com/codedeploy/latest/userguide/how-to-create-iam-instance-profile.html
需要为您的IAM实例配置文件提供以下权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
但我将资源限制在我的代码桶中,因为我不希望我的实例直接访问其他存储桶。但事实证明,我还需要为aws-codedeploy-us-east-1 / * s3资源提供额外的权限,以便能够下载代理。在为Codedeploy设置IAM实例配置文件的文档中,这一点并不十分清楚。
答案 1 :(得分:2)
更有限制的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::aws-codedeploy-us-east-1/*",
"arn:aws:s3:::aws-codedeploy-us-west-1/*",
"arn:aws:s3:::aws-codedeploy-us-west-2/*",
"arn:aws:s3:::aws-codedeploy-ap-south-1/*",
"arn:aws:s3:::aws-codedeploy-ap-northeast-2/*",
"arn:aws:s3:::aws-codedeploy-ap-southeast-1/*",
"arn:aws:s3:::aws-codedeploy-ap-southeast-2/*",
"arn:aws:s3:::aws-codedeploy-ap-northeast-1/*",
"arn:aws:s3:::aws-codedeploy-eu-central-1/*",
"arn:aws:s3:::aws-codedeploy-eu-west-1/*",
"arn:aws:s3:::aws-codedeploy-sa-east-1/*"
]
}
]
}