你如何得到一个VPC端点在Docker容器中工作?

我无法让AWS CLI从Docker容器中的S3下载文本文件。 有一个VPC设置与S3策略上批准的VPC端点: 

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyUnEncryptedObjectUploads", "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::secret-store/*", "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "AES256" } } }, { "Sid": " DenyUnEncryptedInflightOperations", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::secret-store/*", "Condition": { "Bool": { "aws:SecureTransport": "false" } } }, { "Sid": "Access-to-specific-VPCE-only", "Effect": "Deny", "Principal": "*", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::secret-store/*", "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-de7893b7" } } } ] }

我正在使用一个Dockerfile来安装AWS CLI并调用一个入口点脚本: 

 FROM java:8 RUN apt-get update && \ apt-get -y install python curl unzip && cd /tmp && \ curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" \ -o "awscli-bundle.zip" && \ unzip awscli-bundle.zip && \ ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws && \ rm awscli-bundle.zip && rm -rf awscli-bundle COPY entrypoint.sh /entrypoint.sh ENTRYPOINT ["/entrypoint.sh"]

入口点脚本设置AWS CLIconfiguration文件并调用aws s3 cp s3://bucket/file.txt -

 #!/bin/bash mkdir ~/.aws echo '[default] aws_access_key_id= aws_secret_access_key= output=json region=us-west-2' > ~/.aws/config aws --version aws s3 cp s3://secret-store/test.txt -

当我从EC2 CLI运行入口点脚本时,我得到了预期的授权响应: 

 [ec2-user@ip-10-0-1-86 ~]$ ./entrypoint.sh mkdir: cannot create directory '/home/ec2-user/.aws': File exists aws-cli/1.11.22 Python/2.7.5 Linux/3.10.0-514.el7.x86_64 botocore/1.4.79 Hello secure VPC world!

但是,当我在同一台主机上从Docker镜像运行相同的脚本时,出现download failed (Forbidden)错误: 

 [ec2-user@ip-10-0-1-86 ~]$ docker build . -t test && docker run test Sending build context to Docker daemon 15.89 MB Step 1 : FROM java:8 ---> 861e95c114d6 Step 2 : RUN apt-get update && apt-get -y install python curl unzip && cd /tmp && curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip" && unzip awscli-bundle.zip && ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws && rm awscli-bundle.zip && rm -rf awscli-bundle ---> Using cache ---> c948b9caeaae Step 3 : COPY entrypoint.sh /entrypoint.sh ---> Using cache ---> 9c1774cc5d57 Step 4 : ENTRYPOINT /entrypoint.sh ---> Running in 98179b1b7172 ---> d8f12456a198 Removing intermediate container 98179b1b7172 Successfully built d8f12456a198 aws-cli/1.11.22 Python/2.7.9 Linux/3.10.0-514.el7.x86_64 botocore/1.4.79 download failed: s3://secret-store/test.txt to - An error occurred (403) when calling the HeadObject operation: Forbidden

任何人都知道为什么我在同一个主机上运行的docker集装箱中获得禁止响应我得到了成功的回应?

VPC端点使用内部地址,所以如果您的构build容器解决外部s3端点策略将不适用。 Docker的构build应该只使用桥接networking,但是你可以添加一个nslookupdebugging行到你的Dockerfile,并与它工作的主机上的相同命令进行比较。

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html

Interesting Posts

如何获得Dockerrun.aws.json基于环境设置dynamicsourcePath?

部署Docker数据卷

刀引导 – 配方无法find父目录

在ec2-server上运行应用程序和在ec2-server的docker上运行应用程序有什么区别?

Docker在Amazon云上

Docker容器似乎“inheritance”了主机ec2的实例configuration文件。 怎么样?

AWS ECS领导者命令(django migrate)

将Docker部署到AWS Elastic Beanstalk – 如何将端口转发到主机? (端口绑定)

在Amazon EC2实例的Docker容器中运行iPython Notebook

如果应用程序重新启动,如何在AWS中保持日志?