AWS-无法从EC2访问S3存储桶对象

时间:2020-02-04 18:57:30

标签: amazon-web-services amazon-s3 amazon-ec2 amazon-iam

我不确定是否在这里错过了一个步骤。

我有一个s3存储桶,我需要能够从我在EC2上运行的AWS开发工具包PHP脚本中进行访问。我创建了一个IAM角色以允许访问。

IAM Allow_S3_Access_to_EC2

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::myinbox"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::myinbox/*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": "s3:DeleteObject",
            "Resource": "arn:aws:s3:::myinbox/*"
        }
    ]
}

我对IAM角色的信任关系是

信任关系

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

然后,我将该IAM角色附加到我的EC2实例。根据我的阅读,这是我要做的,但是我认为我需要做更多。

在我的存储桶策略中,我具有以下允许从我的SES访问的权限,以便能够创建电子邮件对象。

S3存储桶策略

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSESPuts",
            "Effect": "Allow",
            "Principal": {
                "Service": "ses.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::myinbox/*",
            "Condition": {
                "StringEquals": {
                    "aws:Referer": "************"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::************:role/Allow_S3_Access_to_EC2"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::myinbox",
                "arn:aws:s3:::myinbox/*"
            ]
        }
    ]
}

我的存储桶策略中没有EC2或什至已附加的IAM角色。我还需要在“存储桶策略”中添加一些内容吗?那就是我感到困惑的地方。

我遇到的是创建新对象时,我尝试从我的AWS开发工具包PHP访问该对象时,系统显示“ 403”被禁止。如果我在S3控制台中将该对象公开,则可以正常访问它。因此,即使我已为我的EC2设置了访问S3的权限,除非我将该对象设为公共对象,否则我将无法访问它。

我什至尝试通过终端对实际服务器上的对象使用wget,除非我公开该对象,否则我仍然会得到403

以我的角色运行IAM策略模拟器时,我得到了

enter image description here

这是我的PHP

PHP脚本

require '../aws-ses/aws-autoloader.php';

use Aws\S3\S3Client;
use Aws\S3\Exception\S3Exception;

$bucketName = 'myinbox';

try {
// Instantiate the client.
    $s3 = new S3Client([
        'version' => 'latest',
        'region'  => 'us-west-2',
        'credentials' => array('key'=>'*********************',
                    'secret'=>'*******************************************')
    ]);
} catch (Exception $e) {
    // We use a die, so if this fails. It stops here. Typically this is a REST call so this would
    // return a json object.
    die("Error: " . $e->getMessage());
}
// Use the high-level iterators (returns ALL of your objects).
$objects = $s3->getIterator('ListObjects', array('Bucket' => $bucketName));

2 个答案:

答案 0 :(得分:0)

首先,您是否设置了信任关系,以便EC2服务可以承担该角色?

接下来,您不将IAM角色直接与EC2实例关联。相反,您需要使用实例配置文件。您是否设置了与该角色相关联的实例配置文件?

该文档是一个不错的开始:https://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-create-iam-instance-profile.html

答案 1 :(得分:0)

1)我将确保您使用的是ec2角色来调用s3,请使用以下命令来标识

$ clang++ -std=c++98 test.cpp -Wall -Wextra 
test.cpp:2:12: warning: initialization of pointer of type 'int *' to null from a constant boolean expression [-Wbool-conversion]
    return false;
           ^~~~~
1 warning generated.
$ clang++ -std=c++03 test.cpp -Wall -Wextra 
test.cpp:2:12: warning: initialization of pointer of type 'int *' to null from a constant boolean expression [-Wbool-conversion]
    return false;
           ^~~~~
1 warning generated.
$ clang++ -std=c++11 test.cpp -Wall -Wextra 
test.cpp:2:12: error: cannot initialize return object of type 'int *' with an rvalue of type 'bool'
    return false;
           ^~~~~
1 error generated.

2)我将撤消现有会话,以确保新会话已刷新角色

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html

3)使用S3访问分析器定义访问解析

https://docs.aws.amazon.com/AmazonS3/latest/user-guide/access-analyzer.html