使用具有IAM角色的COPY命令时,拒绝访问S3

时间:2019-05-28 20:17:03

标签: amazon-redshift amazon-iam

我有以下复制命令:

copy ink.contact_trace_records
from 's3://mybucket/mykey'
iam_role 'arn:aws:iam::accountnum:role/rolename'
json 'auto';

该角色具有对S3的完全访问权限和对RS策略的完全访问权限(我知道这不是一个好主意,但是我只是在这里丢了它:))。群集具有附加角色。群集具有VPC增强的路由。我得到以下信息:

[2019-05-28 14:07:34] [XX000][500310] [Amazon](500310) Invalid operation: S3ServiceException:Access Denied,Status 403,Error AccessDenied,Rid 370F75618922AFC0,ExtRid dp2mcnlofFzt4dz00Lcm188/+ta3OEKVpuFjnZSYsC0pJPMiULk7I6spOpiZwXc04VVRdxizIj4=,CanRetry 1
[2019-05-28 14:07:34] Details:
[2019-05-28 14:07:34] -----------------------------------------------
[2019-05-28 14:07:34] error:  S3ServiceException:Access Denied,Status 403,Error AccessDenied,Rid 370F75618922AFC0,ExtRid dp2mcnlofFzt4dz00Lcm188/+ta3OEKVpuFjnZSYsC0pJPMiULk7I6spOpiZwXc04VVRdxizIj4=,CanRetry 1
[2019-05-28 14:07:34] code:      8001
[2019-05-28 14:07:34] context:   S3 key being read : s3://redacted
[2019-05-28 14:07:34] query:     7794423
[2019-05-28 14:07:34] location:  table_s3_scanner.cpp:372
[2019-05-28 14:07:34] process:   query3_986_7794423 [pid=13695]
[2019-05-28 14:07:34] -----------------------------------------------;

我在这里想念什么?群集具有对S3的完全访问权限,甚至在自定义VPC中也没有,它处于默认状态。有想法吗?

1 个答案:

答案 0 :(得分:1)

检查对象所有者。该对象可能由另一个帐户拥有。这就是在许多情况下,具有完全权限的角色或帐户无法访问对象的情况下使用S3 403的原因。典型的指示是您可以list个对象,但不能gethead个对象。

在以下示例中,我尝试从第二个帐户访问Redshift审核日志。帐户012345600000使用以下策略被授予对999999999999所拥有的存储桶的访问权限:

{"Version": "2012-10-17",
 "Statement": [
        {"Action": [
                "s3:Get*",
                "s3:ListBucket*"
            ],
          "Effect": "Allow",
          "Resource": [
                "arn:aws:s3:::my-audit-logs",
                "arn:aws:s3:::my-audit-logs/*"
            ],
          "Principal": {
                "AWS": [
                    "arn:aws:iam::012345600000:root"
                ]}}]
 }

现在,我尝试列出(s3 ls),然后复制(s3 cp)一个日志对象:

aws --profile 012345600000 s3 ls s3://my-audit-logs/AWSLogs/999999999999/redshift/us-west-2/2019/05/25/
# 2019-05-28 14:49:46        376 …connectionlog_2019-05-25T19:03.gz
aws --profile 012345600000 s3 cp s3://my-audit-logs/AWSLogs/999999999999/redshift/us-west-2/2019/05/25/…connectionlog_2019-05-25T19:03.gz ~/Downloads/…connectionlog_2019-05-25T19:03.gz
# fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden

然后我从拥有存储桶的帐户中检查对象的所有权。

aws --profile 999999999999 s3api get-object-acl --bucket my-audit-logs --key AWSLogs/999999999999/redshift/us-west-2/2019/05/25/…connectionlog_2019-05-25T19:03.gz
# "Owner": {
#    "DisplayName": "aws-cm-prod-auditlogs-uswest2", ## Not my account!
#    "ID": "b2b456ce30a967fb1877b3c9594773ae0275fee248e3ebdbff43d66907b89144"
# },

然后,我使用--acl bucket-owner-full-control将对象复制到同一存储桶中。这使我成为新对象的所有者。请注意已更改的SharedLogs/前缀。

aws --profile 999999999999 s3 cp \ 
   s3://my-audit-logs/AWSLogs/999999999999/redshift/us-west-2/2019/05/25/…connectionlog_2019-05-25T19:03.gz \
   s3://my-audit-logs/SharedLogs/999999999999/redshift/us-west-2/2019/05/25/…connectionlog_2019-05-25T19:03.gz \
   --acl bucket-owner-full-control

现在,我可以下载(或加载到Redshift!)从同一存储桶共享的新对象。

aws --profile 012345600000 s3 cp s3://my-audit-logs/SharedLogs/999999999999/redshift/us-west-2/2019/05/25/…connectionlog_2019-05-25T19:03.gz ~/Downloads/…connectionlog_2019-05-25T19:03.gz
# download: …