我正在尝试从我的示例Spring应用程序中的s3存储桶中获取一些加密的连接参数。这是我用来在容器内运行的方法:
public void encryptionOnly_KmsManagedKey() throws NoSuchAlgorithmException {
AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder
.standard()
.withRegion(Regions.US_EAST_1)
.withCryptoConfiguration(new CryptoConfiguration(CryptoMode.AuthenticatedEncryption))
// Can either be Key ID or alias (prefixed with 'alias/')
.withEncryptionMaterials(new KMSEncryptionMaterialsProvider("alias/db-connstring"))
.build();
//System.out.println(amazonS3.getObjectAsString(BUCKET_NAME, PROPERTIES_FILE_NON_ENC));
System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, PROPERTIES_FILE_ENC));
}
我创建了一个IAM角色并分配给我的ECS任务:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject" ], "Sid": "Stmt1", "Resource": [ "arn:aws:s3:::dev-web-s3/dev-webapp.properties" ], "Effect": "Allow" } ] }
我收到以下错误:
15:31:25,502 WARN [com.amazonaws.http.AmazonHttpClient] (http-/0.0.0.0:8080-1) SSL Certificate checking for endpoints has been explicitly disabled.
15:31:25,523 WARN [com.amazonaws.http.AmazonHttpClient] (http-/0.0.0.0:8080-1) SSL Certificate checking for endpoints has been explicitly disabled.
15:31:26,000 ERROR [stderr] (http-/0.0.0.0:8080-1) com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 6859B84E52157DB7), S3 Extended Request ID: hIneAhT8TYX3P1z8zOGetqrSHhz5AqeOtRQnkCU9IuR0mBpMntFE9TXySu2iYv0Bbs4xONkxRz0=
15:31:26,001 ERROR [stderr] (http-/0.0.0.0:8080-1) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1588)
15:31:26,001 ERROR [stderr] (http-/0.0.0.0:8080-1) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1258)
15:31:26,001 ERROR [stderr] (http-/0.0.0.0:8080-1) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1030)
15:31:26,001 ERROR [stderr] (http-/0.0.0.0:8080-1) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:742)
15:31:26,002 ERROR [stderr] (http-/0.0.0.0:8080-1) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:716)
15:31:26,002 ERROR [stderr] (http-/0.0.0.0:8080-1) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699)
15:31:26,002 ERROR [stderr] (http-/0.0.0.0:8080-1) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667)
15:31:26,002 ERROR [stderr] (http-/0.0.0.0:8080-1) at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649)
15:31:26,002 ERROR [stderr] (http-/0.0.0.0:8080-1) at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513)
我正在使用Fargate来部署我的容器,因此无法进入容器内部但是在命令下运行并得到如下结果: curl 169.254.170.2 $ AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
{
"RoleArn": "arn:aws:iam::281177187806:role/CC_GetPropertiesFile_S3_Role",
"AccessKeyId": "REDACTED",
"SecretAccessKey": "REDACTED",
"Token": "some random token",
"Expiration": "2018-03-16T00:21:55Z"
}
CC_GetPropertiesFile_S3_Role是先前为可信实体创建的角色,即AWS服务:ecs-tasks。
我尝试使用BasicAWSCredentials选项使用CURL命令中的凭据,并得到以下错误:
com.amazonaws.services.s3.model.AmazonS3Exception: The AWS Access Key Id you provided does not exist in our records. (Service: Amazon S3; Status Code: 403; Error Code: InvalidAccessKeyId; Request ID: 81CC7254BCA83D53), S3 Extended Request ID: of46B2ujyTG
我正在尝试获取调试级别的日志记录信息,但同时还可以指出任何其他可以指出的问题或提供替代解决方案。
感谢。
答案 0 :(得分:0)
您必须使用两个不同的Amazon资源名称(ARN)来指定存储桶级别(ListBucket)和对象级别(GetObject)权限。
来自IAM的凭据将具有到期时间,因此does not exist错误。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::dev-web-s3"]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": ["arn:aws:s3:::dev-web-s3/dev-webapp.properties"]
}
]
}
答案 1 :(得分:0)
我能够通过在java方法中使用的加密密钥中添加自定义角色 CC_GetPropertiesFile_S3_Role 来解决此问题。