从EC2访问kinesis的问题
我有一些从 Kinesis 中提取记录的java代码。它在我的笔记本电脑上运行正常(无论IP),但当我尝试在EC2上运行它时,我收到此错误:
Exception in thread "main" com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain
at com.amazonaws.auth.AWSCredentialsProviderChain.getCredentials(AWSCredentialsProviderChain.java:131)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.getCredentialsFromContext(AmazonHttpClient.java:1119)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.runBeforeRequestHandlers(AmazonHttpClient.java:759)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:723)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:716)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667)
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1271)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1247)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRole(AWSSecurityTokenServiceClient.java:454)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:431)
有问题的代码似乎令人不快:
AWSSecurityTokenServiceClient sts = new AWSSecurityTokenServiceClient();
AssumeRoleResult assumeRoleResult = sts.assumeRole(new AssumeRoleRequest()
.withRoleArn(config.getString("kinesis/arn"))
.withExternalId(config.getString("kinesis/external_id"))
.withRoleSessionName(config.getString("kinesis/role_session_name")));
我想知道这是否与EC2实例的构建方式有关。但是它从我的调试器运行良好的事实让我感到困惑。
我已经检查过以确保各种配置值正确无误。
Per @prayagupd我已经更新了EC2实例以包含此策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kinesis:Get*",
"kinesis:List*",
"kinesis:Describe*"
],
"Resource": "*"
}
]
}
现在错误是:
Exception in thread "main" com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException:
User: arn:aws:sts::12345:assumed-role/kinesis-consumer/i-cab01a5
is not authorized to perform:
sts:AssumeRole on resource: arn:aws:iam::12345:role/kinesis-consumer
1 个答案:
答案 0 :(得分:1)
从您的ec2中,您需要通过ec2 VM Profile进行身份验证。
我使用以下代码连接到kinesis与本地属性AwsProfileNameLoader.AWS_PROFILE_SYSTEM_PROPERTY使用(~/.aws/credentials),对我来说~/.aws/credentials是暂时的。
所以我在ec2中使用DefaultAWSCredentialsProviderChain实际上寻找ec2实例配置文件。
您仍然可以将您的凭据放在~/.aws/credentials中并使用相同的内容。
/**
* provides credentials for a client to make connection to the elastic cloud instance
*
* @return DefaultAWSCredentialsProviderChain
*/
private DefaultAWSCredentialsProviderChain getAuthProfileCredentials() {
if (myAppConfig.getProperty("authentication.profile") != null) {
System.setProperty(AwsProfileNameLoader.AWS_PROFILE_SYSTEM_PROPERTY, myAppConfig.getProperty("authentication.profile"));
}
return new DefaultAWSCredentialsProviderChain();
}
您的ec2实例个人资料需要kinesis access IAM role具有以下信任关系。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
角色政策应该
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kinesis:*"
],
"Resource": [
"arn:aws:kinesis:us-west-2:*:stream/*"
]
}
]
}
然后可以使用ec2机器上的以下命令验证kinesis访问权限(aws cli应该已安装)
aws kinesis create-stream --stream-name gregor-samsa-ping --shard-count 1 --region us-west-2
aws kinesis list-streams --region us-west-2
{
"StreamNames": [
"gregor-samsa-ping"
]
}
相关问题
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?