如何从Elastic Beanstalk实例访问S3存储桶中的dockerconfiguration文件
我创build了我的Dockerrun.aws.json文件,并在创build我的Beanstalk(docker)环境时上传了它。 我还将由“ .dockercfg login”命令创build的.dockercfg文件上载到Dockerrun.aws.jsonconfiguration中指定的S3存储桶中。
但是,当我尝试启动环境时,收到错误(post底部),指出EC2实例无权访问存储桶中的.dockercfg文件。 如何确保Beanstalk应用程序可以访问提供的S3存储桶中的configurationjson文件?
谢谢! (下面的错误)
i-64c62de7 Severe 1 day - - - - - - - - - - 0.00 0.01 0.3 0.0 0.0 99.6 0.1 Application deployment failed at 2016-02-27T04:30:54Z with exit status 1 and error: Hook /opt/elasticbeanstalk/hooks/appdeploy/pre/03build.sh failed. Traceback (most recent call last): File "/opt/elasticbeanstalk/containerfiles/support/download_auth.py", line 18, in download_auth(argv[1], argv[2], get_instance_identity()['document']['region']) File "/opt/elasticbeanstalk/containerfiles/support/download_auth.py", line 15, in download_auth key.get_contents_to_filename('/root/.dockercfg') File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 1712, in get_contents_to_filename response_headers=response_headers) File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 1650, in get_contents_to_file response_headers=response_headers) File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 1482, in get_file query_args=None) File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 1514, in _get_file_internal override_num_retries=override_num_retries) File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 343, in open override_num_retries=override_num_retries) File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 303, in open_read self.resp.reason, body) boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden <?xml version="1.0" encoding="UTF-8"?> AccessDeniedAccess Denied910AD275D3E3110A682j0cjMsfurjyy/PGT3W9wRxI+4sh+rrESuw2WpInERcn4p4f9XGwBFdpBmDYQc Failed to download authentication credentials dockercfg from my-s3-bucket.
您必须确保您正在使用的AIMangular色可以访问您的存储桶和密钥。 就像是
{ "Version": "2012-10-17", "Statement": [ { "Sid": "BucketAccess", "Effect": "Allow", "Action": [ "s3:List*", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::mybucket" ] }, { "Sid": "S3ObjectAccess", "Effect": "Allow", "Action": [ "s3:GetObject*", "s3:List*" ], "Resource": [ "arn:aws:s3:::mybucket/*" ] } ] }
如果你不这样做,你应该从你的.ebextensions指向一个IAM,而不是让EB创build它自己的,所以你可以控制这个
- namespace: aws:autoscaling:launchconfiguration option_name: IamInstanceProfile value: arn:aws:iam::xxxxxxxxx:instance-profile/yourRole