我不确定是否在这里错过了一个步骤。
我有一个s3存储桶,我需要能够从我在EC2上运行的AWS开发工具包PHP脚本中进行访问。我创建了一个IAM角色以允许访问。
IAM Allow_S3_Access_to_EC2
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::myinbox"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::myinbox/*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::myinbox/*"
}
]
}
我对IAM角色的信任关系是
信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
然后,我将该IAM角色附加到我的EC2实例。根据我的阅读,这是我要做的,但是我认为我需要做更多。
在我的存储桶策略中,我具有以下允许从我的SES访问的权限,以便能够创建电子邮件对象。
S3存储桶策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSESPuts",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myinbox/*",
"Condition": {
"StringEquals": {
"aws:Referer": "************"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::************:role/Allow_S3_Access_to_EC2"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::myinbox",
"arn:aws:s3:::myinbox/*"
]
}
]
}
我的存储桶策略中没有EC2或什至已附加的IAM角色。我还需要在“存储桶策略”中添加一些内容吗?那就是我感到困惑的地方。
我遇到的是创建新对象时,我尝试从我的AWS开发工具包PHP访问该对象时,系统显示“ 403”被禁止。如果我在S3控制台中将该对象公开,则可以正常访问它。因此,即使我已为我的EC2设置了访问S3的权限,除非我将该对象设为公共对象,否则我将无法访问它。
我什至尝试通过终端对实际服务器上的对象使用wget
,除非我公开该对象,否则我仍然会得到403
以我的角色运行IAM策略模拟器时,我得到了
这是我的PHP
PHP脚本
require '../aws-ses/aws-autoloader.php';
use Aws\S3\S3Client;
use Aws\S3\Exception\S3Exception;
$bucketName = 'myinbox';
try {
// Instantiate the client.
$s3 = new S3Client([
'version' => 'latest',
'region' => 'us-west-2',
'credentials' => array('key'=>'*********************',
'secret'=>'*******************************************')
]);
} catch (Exception $e) {
// We use a die, so if this fails. It stops here. Typically this is a REST call so this would
// return a json object.
die("Error: " . $e->getMessage());
}
// Use the high-level iterators (returns ALL of your objects).
$objects = $s3->getIterator('ListObjects', array('Bucket' => $bucketName));
答案 0 :(得分:0)
首先,您是否设置了信任关系,以便EC2服务可以承担该角色?
接下来,您不将IAM角色直接与EC2实例关联。相反,您需要使用实例配置文件。您是否设置了与该角色相关联的实例配置文件?
该文档是一个不错的开始:https://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-create-iam-instance-profile.html
答案 1 :(得分:0)
1)我将确保您使用的是ec2角色来调用s3,请使用以下命令来标识
$ clang++ -std=c++98 test.cpp -Wall -Wextra
test.cpp:2:12: warning: initialization of pointer of type 'int *' to null from a constant boolean expression [-Wbool-conversion]
return false;
^~~~~
1 warning generated.
$ clang++ -std=c++03 test.cpp -Wall -Wextra
test.cpp:2:12: warning: initialization of pointer of type 'int *' to null from a constant boolean expression [-Wbool-conversion]
return false;
^~~~~
1 warning generated.
$ clang++ -std=c++11 test.cpp -Wall -Wextra
test.cpp:2:12: error: cannot initialize return object of type 'int *' with an rvalue of type 'bool'
return false;
^~~~~
1 error generated.
2)我将撤消现有会话,以确保新会话已刷新角色
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html
3)使用S3访问分析器定义访问解析
https://docs.aws.amazon.com/AmazonS3/latest/user-guide/access-analyzer.html