我的目标是设置一个S3存储桶,我的节点应用程序可以从中下载对象。我是建立网站和api请求的新手,并花了很多时间阅读AWS的文档,但我真的很困惑。
设置凭据的最佳方法是什么,以便我的节点应用程序可以连接到S3并下载我需要的特定对象?我应该使用iAm角色吗?那么iAm访问密钥是否只存储在我的本地.aws / credentials文件中?到目前为止,我一直在尝试使用我的个人aws用户访问密钥,然后是iAm角色的访问密钥,运行下面的代码,保存到我的.aws / credentials文件中,但我一直在{ {1}}(下面的堆栈跟踪)。我没有正确设置我的凭据吗?谢谢!
listB堆栈追踪:
[[10]]嗨,我仍然无法访问此文件。我的.aws /凭证如下所示(我正在使用我的个人帐户配置文件,这可以拉动我的IAm角色):
Access Denied.aws /配置:
var AWS = require('aws-sdk');
var s3 = new AWS.S3();
var credentials = new AWS.SharedIniFileCredentials({profile: 'personal-account'});
AWS.config.credentials = credentials;
var params = { Bucket: "my_bucket", Key: "testing.txt" }
s3.getObject(params, function(err, data) {
if (err) console.log(err, err.stack);
else console.log(data);
});
我不确定我是否理解IAm策略的工作原理,但我使用AdministratorAccess和以下配置文件设置了我的IAm角色:
{ AccessDenied: Access Denied
at Request.extractError (/Users/jemery62/dev/jimmyemery_com/node_modules/aws-sdk/lib/services/s3.js:577:35)
at Request.callListeners (/Users/jemery62/dev/jimmyemery_com/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
at Request.emit (/Users/jemery62/dev/jimmyemery_com/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
at Request.emit (/Users/jemery62/dev/jimmyemery_com/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/Users/jemery62/dev/jimmyemery_com/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/Users/jemery62/dev/jimmyemery_com/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /Users/jemery62/dev/jimmyemery_com/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/Users/jemery62/dev/jimmyemery_com/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/Users/jemery62/dev/jimmyemery_com/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/Users/jemery62/dev/jimmyemery_com/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
message: 'Access Denied',
code: 'AccessDenied',
region: null,
time: 2017-10-26T02:01:15.586Z,
requestId: '10371DCDBBC02508',
extendedRequestId: '0GC8BZ/39/eFOzWgTedHSFxhFSGBAMcZqxCVAlUxp8YamwBGeGZUZVe7Ti9O/6+BxhUTk9jb4hk=',
cfId: undefined,
statusCode: 403,
retryable: false,
retryDelay: 75.06631783335284 } 'AccessDenied: Access Denied
at Request.extractError (/Users/jemery62/dev/jimmyemery_com/node_modules/aws-sdk/lib/services/s3.js:577:35)
at Request.callListeners (/Users/jemery62/dev/jimmyemery_com/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
at Request.emit (/Users/jemery62/dev/jimmyemery_com/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
at Request.emit (/Users/jemery62/dev/jimmyemery_com/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/Users/jemery62/dev/jimmyemery_com/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/Users/jemery62/dev/jimmyemery_com/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /Users/jemery62/dev/jimmyemery_com/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/Users/jemery62/dev/jimmyemery_com/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/Users/jemery62/dev/jimmyemery_com/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/Users/jemery62/dev/jimmyemery_com/node_modules/aws-sdk/lib/sequential_executor.js:115:18)'
我是否需要对.aws / config进行其他更改?我是否错误地或不正确地尝试调用我想要的对象来提供我的凭据?
我已经发布了第二个问题here,以澄清我此刻正在经历的问题,因为我认为我所做的这篇文章开始变得有点混乱。
答案 0 :(得分:2)
如果您的代码在EC2上运行,那么它应该使用EC2实例配置文件。如果它在其他任何地方运行,那么您应该在~/.aws/credentials或环境变量中配置IAM用户密钥。
在任何一种情况下,IAM角色或用户都应该有一个附加策略,使其可以访问S3存储桶和该存储桶中的对象。如果您还有其他问题,请将您正在使用的IAM政策添加到您的问题中。
答案 1 :(得分:2)
我个人发现加载存储在JSON格式文件中的凭据的loadFromPath方法是最灵活的方法。
您确实需要IAM角色(谨慎选择访问范围)以获取accessKeyId和secretAccessKey
所以你的JSON文件应如下所示:
{
"accessKeyId": "IAM_ACCESS_KEY_ID",
"secretAccessKey": "IAM_SECRET_ACCESS_KEY"
}
然后你就可以做到:
var AWS = require('aws-sdk');
AWS.config.loadFromPath('/path/to/credentials/aws.credentials.json');
var params = { Bucket: "my_bucket", Key: "testing.txt" }
s3.getObject(params, function(err, data) {
if (err) console.log(err, err.stack);
else console.log(data);
});
答案 2 :(得分:0)
以下代码最终为我工作。看起来我需要在配置AWS之后实例化s3 。
var AWS = require('aws-sdk');
var credentials = new AWS.SharedIniFileCredentials({profile: 'personal-account'});
AWS.config.credentials = credentials;
s3 = new AWS.S3();
var params = { Bucket: "my_bucket", Key: "testing.txt" }
s3.getObject(params, function(err, data) {
if (err) console.log(err, err.stack);
else console.log(data);
});