英文:
Accessing AWS service from a program calling aws cli
问题
运行具有附加的 IAM 角色的 EC2 实例,该角色允许复制/读取 S3 存储桶中的文件。
当通过 SSH 登录到 EC2 实例时,可以使用 aws s3 ... 命令执行所有这些任务。没有凭据,因为它使用的是角色。环境中根本没有与 AWS 相关的内容。
然而,如果我运行一个简单的 GO 程序,只是执行以下操作:
exec.Command("bash", "-c", "aws s3 ls ....")
我会得到 Partial credentials found in env, missing: AWS_SECRET_ACCESS_KEY 的错误。
有点困惑,既然我正在以与我登录的用户相同的用户身份运行此进程,并且正如我在开始时提到的那样,它实际上是有效的,为什么它还要查找凭据呢?
英文:
Running EC2 instance that has an IAM role attached that allows to copy/read files to/from an S3 bucket.
When logged into the EC2 instance (via ssh) I can perform all those tasks using aws s3 ... command. There are no credentials because it's using a role. Env does not have anything related to aws at all.
However, if I run a program (written in GO) that simply does:
exec.Command("bash", "-c", "aws s3 ls ....")
I get Partial credentials found in env, missing: AWS_SECRET_ACCESS_KEY
A bit confused here, shouldn't it just work since I'm running this process as the same user that I'm logged in as and that actually works as I've mentioned in the beginning? Why is it even looking for credentials?
答案1
得分: 0
好的,以下是翻译好的内容:
好的,假设您有一个角色(我们称之为EC2S3AccessRole),允许EC2实例访问S3存储桶,您需要按照此文档操作:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
例如,在我的情况下(使用golang),我会这样做:
a. 获取令牌:
cmd := exec.Command("bash", "-c", `curl -X PUT http://169.254.169.254/latest/api/token -H "X-aws-ec2-metadata-token-ttl-seconds: 600"`)
b. 使用(a)中的令牌获取凭证:
type IAMSecurityCreds struct {
Code string `json:"Code"`
LastUpdated time.Time `json:"LastUpdated"`
Type string `json:"Type"`
AccessKeyID string `json:"AccessKeyId"`
SecretAccessKey string `json:"SecretAccessKey"`
Token string `json:"Token"`
Expiration time.Time `json:"Expiration"`
}
...
cmd := exec.Command("bash", "-c", `curl -H "X-aws-ec2-metadata-token: `+token+`" -v http://169.254.169.254/latest/meta-data/iam/security-credentials/EC2S3AccessRole`)
...
将其解析为IAMSecurityCreds的JSON
c. 一旦您拥有所有三个(令牌、密钥、密钥对),您可以运行类似于以下的命令:
cmd := exec.Command("bash", "-c", `AWS_DEFAULT_REGION=us-east-1 AWS_ACCESS_KEY_ID=` + creds.AccessKeyID + ` AWS_SECRET_ACCESS_KEY=` + creds.SecretAccessKey + ` AWS_SESSION_TOKEN="` + creds.Token + `" aws s3 ........`)
就是这样 
英文:
OK, assuming you have a role (lets call it EC2S3AccessRole) that allows ec2 instance access to s3 bucket(s), you need to follow this doc: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
Eg, in my case (golang), I would do something like this:
a. get token:
cmd := exec.Command("bash", "-c", `curl -X PUT http://169.254.169.254/latest/api/token -H "X-aws-ec2-metadata-token-ttl-seconds: 600"`)
b. get credentials using token from (a)
type IAMSecurityCreds struct {
Code string `json:"Code"`
LastUpdated time.Time `json:"LastUpdated"`
Type string `json:"Type"`
AccessKeyID string `json:"AccessKeyId"`
SecretAccessKey string `json:"SecretAccessKey"`
Token string `json:"Token"`
Expiration time.Time `json:"Expiration"`
}
...
cmd := exec.Command("bash", "-c", `curl -H "X-aws-ec2-metadata-token: `+token+`" -v http://169.254.169.254/latest/meta-data/iam/security-credentials/EC2S3AccessRole`)
...
json.Unmarshal into IAMSecurityCreds
c. once you have all three (token, key, secret), you can run something like this:
cmd := exec.Command("bash", "-c", `AWS_DEFAULT_REGION=us-east-1 AWS_ACCESS_KEY_ID=` + creds.AccessKeyID + ` AWS_SECRET_ACCESS_KEY=` + creds.SecretAccessKey + ` AWS_SESSION_TOKEN="` + creds.Token + `" aws s3 ........`)
That's it
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论