我有一个S3专用存储桶,我的静态网站托管在该存储桶中,并且我还有一个代理Apache httpd。 所以我想将请求从代理重定向到S3。
我的实例应该具有访问权限,因为我将BucketPolicy放入了ec2实例的IP地址:
{
"Version": "2008-10-17",
"Id": "S3_Policy",
"Statement": [
{
"Sid": "AllowWebAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.168.0.1/32"
}
}
}
]
}
但是,当我尝试从httpd代理服务静态网站时,收到错误消息:
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>D7C96fd6A80A99E8</RequestId>
<HostId>
PmPyhF1xqK3CgG9n1tchueoLrzfakwOkB0zxbqAMJy+qhid+QTClR9kvAWD30b+VQ6UEi5YY3bc=
</HostId>
</Error>
我的Httpd配置:
ProxyPreserveHost off
<Location /static>
ProxyPass http://s3-eu-west-1.amazonaws.com/mybucket
ProxyPass http://s3-eu-west-1.amazonaws.com/mybucket
</Location>
所以,我认为问题是我的httpd无法使用签名来获得访问s3存储桶的授权
那么你有什么主意吗?
提前谢谢
答案 0 :(得分:0)
我发现了这个问题的答案
我必须创建一个vpcEndoint形式的VPC TAB
然后在bucketpolicy中授予对vpc端点的访问权限
{
"Version": "2008-10-17",
"Id": "S3_Policy",
"Statement": [
{
"Sid": "AllowWebAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/*",
"Condition": {
"StringEquals": {
"aws:sourceVpce": "vpce-xxx"
}
}
},
{
"Sid": "DenyWebAccess",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::diva-mybucket/*",
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-xxx
}
}
]
}
使用此配置,我们不需要使用访问密钥和私钥或签名