从调用 AWS CLI 的程序中访问 AWS 服务

huangapple go评论86阅读模式
英文:

Accessing AWS service from a program calling aws cli

问题

运行具有附加的 IAM 角色的 EC2 实例,该角色允许复制/读取 S3 存储桶中的文件。

当通过 SSH 登录到 EC2 实例时,可以使用 aws s3 ... 命令执行所有这些任务。没有凭据,因为它使用的是角色。环境中根本没有与 AWS 相关的内容。
然而,如果我运行一个简单的 GO 程序,只是执行以下操作:

exec.Command("bash", "-c", "aws s3 ls ....")

我会得到 Partial credentials found in env, missing: AWS_SECRET_ACCESS_KEY 的错误。

有点困惑,既然我正在以与我登录的用户相同的用户身份运行此进程,并且正如我在开始时提到的那样,它实际上是有效的,为什么它还要查找凭据呢?

英文:

Running EC2 instance that has an IAM role attached that allows to copy/read files to/from an S3 bucket.

When logged into the EC2 instance (via ssh) I can perform all those tasks using aws s3 ... command. There are no credentials because it's using a role. Env does not have anything related to aws at all.
However, if I run a program (written in GO) that simply does:

exec.Command("bash", "-c", "aws s3 ls ....")

I get Partial credentials found in env, missing: AWS_SECRET_ACCESS_KEY

A bit confused here, shouldn't it just work since I'm running this process as the same user that I'm logged in as and that actually works as I've mentioned in the beginning? Why is it even looking for credentials?

答案1

得分: 0

好的,以下是翻译好的内容:

好的,假设您有一个角色(我们称之为EC2S3AccessRole),允许EC2实例访问S3存储桶,您需要按照此文档操作:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html

例如,在我的情况下(使用golang),我会这样做:

a. 获取令牌:

cmd := exec.Command("bash", "-c", `curl -X PUT http://169.254.169.254/latest/api/token -H "X-aws-ec2-metadata-token-ttl-seconds: 600"`)

b. 使用(a)中的令牌获取凭证:

type IAMSecurityCreds struct {
Code            string    `json:"Code"`
LastUpdated     time.Time `json:"LastUpdated"`
Type            string    `json:"Type"`
AccessKeyID     string    `json:"AccessKeyId"`
SecretAccessKey string    `json:"SecretAccessKey"`
Token           string    `json:"Token"`
Expiration      time.Time `json:"Expiration"`
}
...

cmd := exec.Command("bash", "-c", `curl -H "X-aws-ec2-metadata-token: `+token+`" -v http://169.254.169.254/latest/meta-data/iam/security-credentials/EC2S3AccessRole`)
...
将其解析为IAMSecurityCreds的JSON

c. 一旦您拥有所有三个(令牌、密钥、密钥对),您可以运行类似于以下的命令:

cmd := exec.Command("bash", "-c", `AWS_DEFAULT_REGION=us-east-1 AWS_ACCESS_KEY_ID=` + creds.AccessKeyID + ` AWS_SECRET_ACCESS_KEY=` + creds.SecretAccessKey + ` AWS_SESSION_TOKEN="` + creds.Token + `" aws s3 ........`)

就是这样 从调用 AWS CLI 的程序中访问 AWS 服务

英文:

OK, assuming you have a role (lets call it EC2S3AccessRole) that allows ec2 instance access to s3 bucket(s), you need to follow this doc: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html

Eg, in my case (golang), I would do something like this:

a. get token:

cmd := exec.Command("bash", "-c", `curl -X PUT http://169.254.169.254/latest/api/token -H "X-aws-ec2-metadata-token-ttl-seconds: 600"`)

b. get credentials using token from (a)

type IAMSecurityCreds struct {
Code            string    `json:"Code"`
LastUpdated     time.Time `json:"LastUpdated"`
Type            string    `json:"Type"`
AccessKeyID     string    `json:"AccessKeyId"`
SecretAccessKey string    `json:"SecretAccessKey"`
Token           string    `json:"Token"`
Expiration      time.Time `json:"Expiration"`
}
...

cmd := exec.Command("bash", "-c", `curl -H "X-aws-ec2-metadata-token: `+token+`" -v http://169.254.169.254/latest/meta-data/iam/security-credentials/EC2S3AccessRole`)
...
json.Unmarshal into IAMSecurityCreds

c. once you have all three (token, key, secret), you can run something like this:

cmd := exec.Command("bash", "-c", `AWS_DEFAULT_REGION=us-east-1 AWS_ACCESS_KEY_ID=` + creds.AccessKeyID + ` AWS_SECRET_ACCESS_KEY=` + creds.SecretAccessKey + ` AWS_SESSION_TOKEN="` + creds.Token + `" aws s3 ........`)

That's it 从调用 AWS CLI 的程序中访问 AWS 服务

huangapple
  • 本文由 发表于 2022年7月14日 11:36:01
  • 转载请务必保留本文链接:https://go.coder-hub.com/72974906.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定