问题
I am in the process of creating an AMI for my application and putting it on the AWS Marketplace. My application requires access to an S3 bucket where the documents uploaded to my application are stored. When starting my application I request the user to input the Access key, secret key, and the bucket name like this:
docker run -d --name ourcontainername -e UPLOAD_ACCESS=<access_key> -e UPLOAD_SECRET=<secret_key> -e UPLOAD_BUCKET=<bucket> ourimagename
However, it seems that AWS Marketplace does not allow this practice.
However, for AWS Marketplace,we require application authors to use AWS Identity and Access Management (IAM) roles and do not permit the use of access or secret keys.
I am reading this documentation that suggests ways to use IAM roles for this: https://d0.awsstatic.com/whitepapers/strategies-for-managing-access-to-aws-resources-in-aws-marketplace.pdf However, I can't make sense of how to do what they are suggesting. They suggest the following:
- Create a new instance role.
- Add a trust relationship that allows ec2.amazonaws.com to assume the role.
- Create a new policy that specifies the permissions required.
- Add the new policy to the new instance role.
- Create a new EC2 instance that specifies the IAM role.
- Build your app by using one of the AWS SDKs. Do not specify credentials when calling methods, because temporary credentials will be automatically added by the SDK.
Below I mention what I've done for each of the points above.
- Done
- I can not add a trust relationship. I pick the "Amazon EC2" service role and "Step 3: Establish Trust" is automatically filled for me
3 and 4. I attach the "AmazonS3FullAccess" policy
- I started a new EC2 Instance that specifies the role created in (1)
However, I am not sure what (6) means?
Build your app by using one of the AWS SDKs. Do not specify credentials when calling methods, because temporary credentials will be automatically added by the SDK.
On the new instance I created, when I do
[ec2-user@ip-172-31-42-131 ~]$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<rolename>
I can see the ACCESS_KEY, SECRET_KEY, and TOKEN. Should my application use these instead?
FWIW, my application is a Grails application that runs on JVM inside a docker container.
来源:https://stackoverflow.com/questions/41169163/how-to-access-s3-on-an-ami-in-the-aws-marketplace