6

我正在尝试在我的 cloudformation 脚本中检索文件。如果我将文件公开,那么它工作正常。如果文件是私有文件,则 cfn 脚本会失败,但 /var/log/ 中会出现 404 错误。尝试通过 wget 检索文件会导致相应的 403 错误。

如何从 S3 检索私人文件?

我的文件子句看起来像:

    "files" : {
      "/etc/httpd/conf/httpd.conf" : { 
        "source" : "https://s3.amazonaws.com/myConfigBucket/httpd.conf"
      }
    },

我添加了一个身份验证子句和适当的参数:

"Parameters" : {
  "BucketRole" : {
    "Description" : "S3 role for access to bucket",
    "Type" : "String",
    "Default" : "S3Access",
    "ConstraintDescription" : "Must be a valid IAM Role"
  }
}

    "AWS::CloudFormation::Authentication": {
      "default" : {
        "type": "s3",
        "buckets": [ "myConfigBucket" ],
        "roleName": { "Ref" : "BucketRole" }
      }
    },

我的 IAM 角色如下所示:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "*"
    }
  ]
}
4

1 回答 1

6

解决方案是将 IamInstanceProfile 属性添加到实例创建中:

   "Parameters" : {
     ...
     "RoleName" : {
       "Description" : "IAM Role for access to S3",
       "Type" : "String",
       "Default" : "DefaultRoleName",
       "ConstraintDescription" : "Must be a valid IAM Role"
     }
   },

   "Resources" : {
     "InstanceName" : {
       "Type" : "AWS::EC2::Instance",
       "Properties" : {
         "ImageId"             : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "64"] },
         "InstanceType"        : { "Ref" : "InstanceType" },
         "SecurityGroups"      : [ {"Ref" : "SecurityGroup"} ],
         "IamInstanceProfile"  : { "Ref" : "RoleName" },
         "KeyName"             : { "Ref" : "KeyName" }
       }
     },
     ...
于 2013-05-28T14:35:34.460 回答