时间戳

首页 > 解决方案 > 将 S3 对象复制到另一个 S3 位置 Elastic Beanstalk SSH 设置错误

amazon-web-services - 将 S3 对象复制到另一个 S3 位置 Elastic Beanstalk SSH 设置错误

问题描述

尝试执行以下操作时出现此 Elastic Beanstalk 权限错误:

eb ssh --setup

2020-07-06 07:36:50    INFO    Environment update is starting.      
2020-07-06 07:36:53    ERROR   Service:Amazon S3, Message:You don't have permission to copy an Amazon S3 object to another S3 location. Source: bucket = 'tempsource', key = 'xxx'. Destination: bucket = 'tempdest', key = 'yyy'.
2020-07-06 07:36:53    ERROR   Failed to deploy configuration.

是否有我应该添加到我的 IAM 权限的特定策略?我尝试向我的 IAM 用户添加完整的 S3 访问权限,但错误仍然存​​在。还是与源存储桶相关的权限错误?

更多细节:

两个存储桶都在同一个 AWS 账户中。复制操作不适用于 AWS CLI 复制命令。

铲斗配置文件

源桶

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXXXXXX:role/aws-elasticbeanstalk-ec2-role"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::SOURCE_BUCKET/*"
        },
        {
            "Sid": "Stmt2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXXXXXX:role/aws-elasticbeanstalk-ec2-role"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::SOURCE_BUCKET"
        }
    ]
}

目标存储桶 (elasticbeanstalk-us-west-2-XXXXXXXXXXXX)

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "eb-ad78f54a-f239-4c90-adda-49e5f56cb51e",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXXXXXX:role/aws-elasticbeanstalk-ec2-role"
            },
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::elasticbeanstalk-us-west-2-XXXXXXXXXXXX/*",
                "arn:aws:s3:::elasticbeanstalk-us-west-2-XXXXXXXXXXXX/resources/environments/logs/*"
            ]
        },
        {
            "Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXXXXXX:role/aws-elasticbeanstalk-ec2-role"
            },
            "Action": [
                "s3:ListBucket",
                "s3:ListBucketVersions",
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::elasticbeanstalk-us-west-2-XXXXXXXXXXXX",
                "arn:aws:s3:::elasticbeanstalk-us-west-2-XXXXXXXXXXXX/resources/environments/*"
            ]
        },
        {
            "Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:DeleteBucket",
            "Resource": "arn:aws:s3:::elasticbeanstalk-us-west-2-XXXXXXXXXXXX"
        }
    ]
}

标签: amazon-web-servicesamazon-s3amazon-elastic-beanstalkamazon-iam

解决方案

我尝试向我的 IAM 用户添加完整的 S3 访问权限,但错误仍然存​​在。

该错误与您的 IAM 权限(即您的 IAM 用户)无关。但它是关于 EB 正在使用您的实例的角色(即instance role/profile):

中的实例使用的默认角色aws-elasticbeanstalk-ec2-role。因此,您可以在 IAM 控制台中找到它,并添加所需的 S3 权限。根据您的设置,您可能使用不同的角色。

还是与源存储桶相关的权限错误?

如果您有拒绝访问的存储桶策略,这也可能是原因。

推荐阅读