我尝试使用-(stdin)源为aws-cli s3 cp上传PostgreSQL备份到s3,理想情况下是一个只写策略(备份用户应该能够写入但不删除,删除是使用存储桶策略处理的,该存储策略将文件转换为不经常(IA)访问的存储,最终到达冰川,并在一段时间后,最终删除它们)
但是出现了错误:
upload failed: ./- to s3://bucket-name/postgresql/dbname_2017-06-23T20:26:39+0000.sqlc
A client error (AccessDenied) occurred when calling the CreateMultipartUpload operation: Access Denied
Cleaning up. Please wait...
我正在运行的命令是:
AWS_ACCESS_KEY_ID=••• AWS_SECRET_ACCESS_KEY=••• AWS_DEFAULT_REGION=eu-west-1 /usr/bin/pg_dump --username username -p 6432 -Fc dbname | /usr/bin/aws s3 cp --sse=aws:kms - s3://bucket-name/postgresql/dbname_$(date --iso-8601=s).sqlc
使用的凭据只附加一个策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1498224672102",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListObjects",
"s3:ListBucket",
"s3:ListBucket",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads",
"s3:GetObjectAcl",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
}
]
}
我无法在任何地方找到正确的咒语以使CreateMultipartUpload正常工作,即使--debug跟踪日志并没有真正帮助,我也无法找到任何内容适用于AWS文档。
2017-06-23 20:03:20,766 - Thread-5 - botocore.endpoint - DEBUG - Sending http request: <PreparedRequest [POST]>
2017-06-23 20:03:20,767 - Thread-5 - botocore.vendored.requests.packages.urllib3.connectionpool - INFO - Starting new HTTPS connection (1): s3-eu-west-1.amazonaws.com
2017-06-23 20:03:20,872 - Thread-5 - botocore.vendored.requests.packages.urllib3.connectionpool - DEBUG - "POST /bucket-name/postgresql/dbname_2017-06-23T20%3A03%3A18%2B0000.sqlc?uploads HTTP/1.1" 403 None
2017-06-23 20:03:20,873 - Thread-5 - botocore.parsers - DEBUG - Response headers: {'x-amz-id-2': 'Qig+LfMtw3WPp+R3I7A3XUQQjlEQRHCuEsNWbgFnpPhglIlRkFp2aQRTpPk4ZF+kyTuBHQG2R58=', 'server': 'AmazonS3', 'transfer-encoding': 'chunked', 'x-amz-request-id': '7FC2F6D75773CD03', 'date': 'Fri, 23 Jun 2017 20:03:20 GMT', 'content-type': 'application/xml'}
2017-06-23 20:03:20,873 - Thread-5 - botocore.parsers - DEBUG - Response body:
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>7FC2F6D75773CD03</RequestId><HostId>Qig+LfMtw3WPp+R3I7A3XUQQjlEQRHCuEsNWbgFnpPhglIlRkFp2aQRTpPk4ZF+kyTuBHQG2R58=</HostId></Error>
2017-06-23 20:03:20,873 - Thread-5 - botocore.hooks - DEBUG - Event needs-retry.s3.CreateMultipartUpload: calling handler <botocore.retryhandler.RetryHandler object at 0x289abd0>
2017-06-23 20:03:20,873 - Thread-5 - botocore.retryhandler - DEBUG - No retry needed.
2017-06-23 20:03:20,874 - Thread-5 - botocore.hooks - DEBUG - Event after-call.s3.CreateMultipartUpload: calling handler <function enhance_error_msg at 0x21e3668>
2017-06-23 20:03:20,874 - Thread-5 - botocore.hooks - DEBUG - Event after-call.s3.CreateMultipartUpload: calling handler <awscli.errorhandler.ErrorHandler object at 0x2250d10>
2017-06-23 20:03:20,874 - Thread-5 - awscli.errorhandler - DEBUG - HTTP Response Code: 403
2017-06-23 20:03:20,874 - Thread-5 - awscli.customizations.s3.tasks - DEBUG - Error trying to create multipart upload: A client error (AccessDenied) occurred when calling the CreateMultipartUpload operation: Access Denied
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/awscli/customizations/s3/tasks.py", line 465, in __call__
upload_id = self.filename.create_multipart_upload()
File "/usr/lib/python2.7/site-packages/awscli/customizations/s3/fileinfo.py", line 354, in create_multipart_upload
response_data = self.client.create_multipart_upload(**params)
File "/usr/lib/python2.7/site-packages/botocore/client.py", line 310, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/lib/python2.7/site-packages/botocore/client.py", line 403, in _make_api_call
model=operation_model, context=request_context
File "/usr/lib/python2.7/site-packages/botocore/hooks.py", line 226, in emit
return self._emit(event_name, kwargs)
File "/usr/lib/python2.7/site-packages/botocore/hooks.py", line 209, in _emit
response = handler(**kwargs)
File "/usr/lib/python2.7/site-packages/awscli/errorhandler.py", line 70, in __call__
http_status_code=http_response.status_code)
ClientError: A client error (AccessDenied) occurred when calling the CreateMultipartUpload operation: Access Denied
2017-06-23 20:03:20,875 - Thread-5 - awscli.customizations.s3.executor - DEBUG - Error calling task: A client error (AccessDenied) occurred when calling the CreateMultipartUpload operation: Access Denied
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/awscli/customizations/s3/executor.py", line 226, in run
function()
File "/usr/lib/python2.7/site-packages/awscli/customizations/s3/tasks.py", line 477, in __call__
raise e
ClientError: A client error (AccessDenied) occurred when calling the CreateMultipartUpload operation: Access Denied
2017-06-23 20:03:20,875 - Thread-3 - awscli.customizations.s3.executor - DEBUG - Received print task: PrintTask(message=u'upload failed: ./- to s3://bucket-name/postgresql/dbname_2017-06-23T20:03:18+0000.sqlc\nA client error (AccessDenied) occurred when calling the CreateMultipartUpload operation: Access Denied', error=True, total_parts=None, warning=None)
任何人都可以帮助命名正确的策略操作以使其工作吗?