下面是我的yml文件,用于创建S3存储桶。为了安全起见,我没有在此处粘贴实际的aws_access_key和aws_secret_key,只是在下面的代码段中将它们显示为*****。我已经在安装Ansible的Ec2实例上安装了boto3,boto,AWS CLI。
---
- hosts: localhost
tasks:
- name: Create an S3 bucket
become: true
aws_s3: aws_access_key=****** aws_secret_key=**** bucket=testbuck mode=create permission=public-read region=us-east-1
当我使用ansible-playbook命令执行上述yml文件时,它将给出异常,如下所示。 请帮助我解决此问题,以便创建名称为“ testbuck”的S3存储桶。
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: botocore.exceptions.ClientError: An error occurred (403) when calling the HeadBucket operation: Forbidden
fatal: [localhost]: FAILED! => {"boto3_version": "1.10.44", "botocore_version": "1.13.44", "changed": false, "error": {"code": "403", "message": "Forbidden"}, "msg": "Failed while looking up bucket (during bucket_check) testbuck.: An error occurred (403) when calling the HeadBucket operation: Forbidden", "response_metadata": {"host_id": "OmIY2bLkh4T4JwxD/UJsM47n7oUUS6ttEL9ZMl+vv66bVsLcwQuP2pzAGr05m1LdtznYudrrapk=", "http_headers": {"content-type": "application/xml", "date": "Fri, 17 Jan 2020 16:54:49 GMT", "server": "AmazonS3", "transfer-encoding": "chunked", "x-amz-bucket-region": "us-east-1", "x-amz-id-2": "OmIY2bLkh4T4JwxD/UJsM47n7oUUS6ttEL9ZMl+vv66bVsLcwQuP2pzAGr05m1LdtznYudrrapk=", "x-amz-request-id": "51740FB276A10A18"}, "http_status_code": 403, "request_id": "51740FB276A10A18", "retry_attempts": 0}}
答案 0 :(得分:1)
默认情况下,Ansible命令在创建之前与check if a bucket exists一起运行。也许您使用的IAM用户没有权限来检查存储桶是否存在。尝试添加:
aws_s3: ... ignore_nonexistent_bucket: True
或向用户授予s3:ListBucket权限。
答案 1 :(得分:0)
您应该需要检查是否有 s3:ListBucket 访问权限。这是官方 s3 文档 https://docs.aws.amazon.com/en_us/AmazonS3/latest/API/API_HeadBucket.html
答案 2 :(得分:0)
HeadBucket 操作是检查 s3 存储桶是否存在以及您是否对其拥有权限。要使用此操作,您的 IAM 角色/用户必须能够执行 s3:ListBucket 操作。桶拥有者默认拥有此权限,并将此权限授予其他人。更多信息请参考 s3 官方文档 https://docs.aws.amazon.com/en_us/AmazonS3/latest/API/API_HeadBucket.html