Permission denied while elastic beanstalk is retrieving S3 file
I have files stored on S3 and wrote .ebextensions config to automatically copy the them to new instances. I\'m receiving this error in the Elastic Beanstalk con
-
The documentation is very sketchy on the subject (probably an ideal candidate for StackExchange Docs!).
To do this correctly with
.ebextensions, you need to allow the Beanstalk instance IAMs user in the bucket policy, setup anAWS::CloudFormation::Authentication:auth config and attach config to remote sources. This is kind of a hybrid of all the other answers, but all failed in one way or another for me.Assuming your IAM instance role is
aws-elasticbeanstalk-ec2-role:Set your AWS bucket to allow the Beanstalk IAM User. Edit "bucket policy":
{ "Version": "2012-10-17", "Id": "BeanstalkS3Copy", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "" }, "Action": [ "s3:ListBucketVersions", "s3:ListBucket", "s3:GetObjectVersion", "s3:GetObject" ], "Resource": [ "arn:aws:s3::: ", "arn:aws:s3::: /*" ] } ] } where:
beanstalk_iam_role_arn = the fully qualified instance IAMs role. See "IAM role" associated with a running instance if available or see environment configuration. Example:
arn:aws:iam::12345689:role/aws-elasticbeanstalk-ec2-rolebucket_name = your bucket name
In your
.ebextension/myconfig.config, add an S3 authentication block that uses your IAMs instance user:Resources: AWSEBAutoScalingGroup: Metadata: AWS::CloudFormation::Authentication: S3Auth: type: "s3" buckets: ["bucket_name"] roleName: "Fn::GetOptionSetting": Namespace: "aws:asg:launchconfiguration" OptionName: "IamInstanceProfile" DefaultValue: "aws-elasticbeanstalk-ec2-role"Set bucket_name appropriately
Define a remote file and attach the S3 Authentication block:
"/etc/myfile.txt" : mode: "000400" owner: root group: root authentication: "S3Auth" # Matches to auth block above. source: https://s3-eu-west-1.amazonaws.com/mybucket/myfile.txtSet your source URL appropriately
加载中...
- 热议问题