用于node.js的AWS开发工具包在ECS中运行时未获取凭据

时间:2018-01-14 06:55:55

标签: node.js amazon-web-services amazon-ecs aws-sdk-js aws-sdk-nodejs

我有这段代码:

const uploadAllToS3 = () => {
    console.log("upload useless file to s3, just to test access rights");
    new AWS.S3().putObject({
        Bucket: scheduledJobsConstants.s3BucketName(),
        Key: `test/${new Date()}.txt`, Body: "Hello!",
    }, (err) => {
        console.log(`env:${inspect(process.env)}
        provider:${AWS.CredentialProviderChain.defaultProviders}
        cred:${inspect(AWS.config.credentials)}
        err:${inspect(err)}`.replace(/(\r\n|\n|\r)/gm, ""));
    });
};

当此代码在ecs中运行时(假设某个角色可以访问S3存储桶),我会在日志中看到这个:

日志的env部分:

env: {
    PATH: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
    HOSTNAME: '485bbd95f87d',
    AWS_CONTAINER_CREDENTIALS_RELATIVE_URI: '/v2/credentials/be3d4d7c-28b6-47e6-8081-cd746d95cb28',
    ECS_CONTAINER_METADATA_FILE: '/opt/ecs/metadata/8c0b731d-49ce-4e19-bf79-64087b433876/ecs-container-metadata.json',
    NODE_VERSION: '8.9.4',
    YARN_VERSION: '1.3.2',
    NPM_CONFIG_PROGRESS: 'false',
    HOME: '/root'
  }

env var中存在“AWS_CONTAINER_CREDENTIALS_RELATIVE_URI”,因此我假设sdk应该能够选择它。

日志的提供者部分只是在sdk代码中定义的4个函数,如果它在env var中看到“AWS_CONTAINER_CREDENTIALS_RELATIVE_URI”,则第4个将返回“ECSCredentials”。

奇怪的是,日志的可信部分在ECS中是“空”。 当我在本地运行(我手动承担一个角色)时,日志的信用部分是“EnvironmentCredentials”,文件上传到S3。

日志的错误部分是:

{ Forbidden: null 
at Request.extractError (/app/node_modules/aws-sdk/lib/services/s3.js:557:35) 
at Request.callListeners (/app/node_modules/aws-sdk/lib/sequential_executor.js:105:20) at Request.emit (/app/node_modules/aws-sdk/lib/sequential_executor.js:77:10) 
at Request.emit (/app/node_modules/aws-sdk/lib/request.js:683:14) 
at Request.transition (/app/node_modules/aws-sdk/lib/request.js:22:10) 
at AcceptorStateMachine.runTo (/app/node_modules/aws-sdk/lib/state_machine.js:14:12) 
at /app/node_modules/aws-sdk/lib/state_machine.js:26:10 
at Request.<anonymous> (/app/node_modules/aws-sdk/lib/request.js:38:9) 
at Request.<anonymous> (/app/node_modules/aws-sdk/lib/request.js:685:12) 
at Request.callListeners (/app/node_modules/aws-sdk/lib/sequential_executor.js:115:18) 
message: null, 
code: 'Forbidden', 
region: null, 
time: 2018-01-14T06:30:00.490Z, 
requestId: '4E7121D88BA0FEF1', 
extendedRequestId: 'D5uiXf5EI/OLHeaPhYX67C384ba3SF1I950N78hJWw8Vv4XGQ0opSLOQlXaxVFW31g252dx8YUc=', 
cfId: undefined, 
statusCode: 403, 
retryable: false, 
retryDelay: 118.50320949834776 }

我的代码或我的env var有什么问题吗?

我应该打印更多日志来帮助诊断此问题吗?

请指教,谢谢。

==========更新==========

我在ECS中运行了此代码 const curlCommand = `curl http://169.254.170.2${process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}`; exec(curlCommand, (error, stdout, stderr) => { console.log(`${curlCommand} err:${error} out:${stdout} stderr:${stderr}`); });

我得到的结果是: { "SecretAccessKey": "long string", "Token": "very long string", "Expiration": "2018-01-14T08:55:04+0000", "AccessKeyId": "shorted string" }

因此,如果sdk调用http://169.254.170.2 $ {process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI},它应该得到正确的响应。

2 个答案:

答案 0 :(得分:1)

简单的答案是

AWS.config.credentials = new AWS.ECSCredentials(options);

可能是因为aws-sdk凭据的凭据未正确配置/配置。

答案 1 :(得分:1)

尝试使用AWS.ECSCredentials.getgetPromise来确保在使用凭据之前已加载凭据:

const ecsCredentials = new AWS.ECSCredentials({ ... });
await ecsCredentials.getPromise();
AWS.config.credentials = ecsCredentials;

检查此线程以获取更多信息:https://github.com/aws/aws-sdk-js/issues/3281#issuecomment-637171993

相关问题
最新问题