如何从Elastic Beanstalk实例

时间:2016-02-28 19:16:09

标签: amazon-web-services amazon-s3 amazon-ec2 docker elastic-beanstalk

我创建了我的Dockerrun.aws.json文件,并在创建我的Beanstalk(docker)环境时上传了它。我还将“docker login”命令创建的.dockercfg文件上传到Dockerrun.aws.json配置中指定的S3存储桶中。

但是,当我尝试启动环境时,我收到错误(帖子底部),指出EC2实例无权访问存储桶中的.dockercfg文件。如何确保beanstalk应用程序可以访问提供的S3存储桶中的config json文件?

谢谢! (以下错误)

i-64c62de7  Severe  1 day   -   -   -   -   -   -   -   -   -   -   0.00    0.01    0.3 0.0 0.0 99.6    0.1
    Application deployment failed at 2016-02-27T04:30:54Z with exit status 1 and error: Hook /opt/elasticbeanstalk/hooks/appdeploy/pre/03build.sh failed.

Traceback (most recent call last):
File "/opt/elasticbeanstalk/containerfiles/support/download_auth.py", line 18, in 
download_auth(argv[1], argv[2], get_instance_identity()['document']['region'])
File "/opt/elasticbeanstalk/containerfiles/support/download_auth.py", line 15, in download_auth
key.get_contents_to_filename('/root/.dockercfg')
File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 1712, in get_contents_to_filename
response_headers=response_headers)
File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 1650, in get_contents_to_file
response_headers=response_headers)
File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 1482, in get_file
query_args=None)
File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 1514, in _get_file_internal
override_num_retries=override_num_retries)
File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 343, in open
override_num_retries=override_num_retries)
File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 303, in open_read
self.resp.reason, body)
boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden
<?xml version="1.0" encoding="UTF-8"?>
AccessDeniedAccess Denied910AD275D3E3110A682j0cjMsfurjyy/PGT3W9wRxI+4sh+rrESuw2WpInERcn4p4f9XGwBFdpBmDYQc
Failed to download authentication credentials dockercfg from my-s3-bucket.

2 个答案:

答案 0 :(得分:6)

您必须确保您使用的AIM角色可以访问您的存储桶和密钥。像

这样的东西 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BucketAccess",
            "Effect": "Allow",
            "Action": [
                "s3:List*",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket"
            ]
        },
        {
            "Sid": "S3ObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject*",
                "s3:List*"
            ],
            "Resource": [
               "arn:aws:s3:::mybucket/*"
            ]
        }
   ]
}

如果你不这样做,你应该指向.ebextensions中的IAM而不是允许EB创建它自己,所以你可以控制它

- namespace: aws:autoscaling:launchconfiguration
  option_name: IamInstanceProfile
  value: arn:aws:iam::xxxxxxxxx:instance-profile/yourRole

答案 1 :(得分:0)

只需将 Amazons3FullAccess 策略名称添加到IAM中的 aws-elasticbeanstalk-ec2-role 角色

相关问题
最新问题