英文:
AWS CLI - using credentials unable to list buckets, using profile I can list buckets
问题
我正在尝试了解以下情况。我已将$HOME/.aws/credentials设置如下:
[aws-users-andres]
aws_access_key_id = accesskey
aws_secret_access_key = UJPYNsecretkey
这些凭据会定期使用一些脚本和MFA进行刷新。环境中设置了$AWS_ACCESS_KEY_ID、AWS_SECRET_ACCESS_KEY和AWS_SESSION_TOKEN。
然后,我还有一个$HOME/.aws/config文件,其中包含公司用于访问不同资源的一组配置文件:
[profile profile_name]
role_arn = arn:aws:iam::1464549XXXX:role/profile_name
credential_source = Environment
现在,如果我尝试列出存储桶:
aws s3 ls
输出是"An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied"。
但是如果使用配置文件运行:
aws s3 ls --profile profile_name
我能够列出我们S3中的存储桶。
我想要在不指定配置文件的情况下列出存储桶,或者设置默认行为为使用profile_name
。我最近被分配了一个任务,定期同步一些Google Cloud Storage存储桶与S3资源,我正在参考这里的想法https://stackoverflow.com/questions/39329580/exporting-data-from-google-cloud-storage-to-amazon-s3,但gsutil命令失败(对S3的访问被拒绝)。
我尝试过设置AWS_PROFILE和AWS_DEFAULT_PROFILE环境变量为profile_name
,但似乎不起作用。
我感激任何帮助和指导。我可以编写一些临时脚本来复制和上传所需的文件从gcloud到s3,但我希望gsutil会是一个更好的选择。
提前感谢。
英文:
I'm trying to understand a bit the following situation. I have set $HOME/.aws/credentials as follows
[aws-users-andres]
aws_access_key_id = accesskey
aws_secret_access_key = UJPYNsecretkey
this credentials are refreshed periodically using some scripts and MFA. $AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN are set in the environment.
Then I also have $HOME/.aws/config file with a set of profiles that my company is using to access different resources:
[profile profile_name]
role_arn = arn:aws:iam::1464549XXXX:role/profile_name
credential_source = Environment
Now if I try to list the buckets:
aws s3 ls
The output is "An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied"
But running using the profile
aws s3 ls --profile profile_name
I'm able to list the buckets in our S3.
I'd like to list the buckets without specifying the profile or set the default behavior to use profile_name
. I was recently tasked with a task to periodically sync some google cloud storage bucket with s3 resources, and was following the ideas from here https://stackoverflow.com/questions/39329580/exporting-data-from-google-cloud-storage-to-amazon-s3 but the gsutil command fails ( Forbidden access to S3 )
I have tried to use AWS_PROFILE and AWS_DEFAULT_PROFILE env var set as profile_name
but that doesn't seem to work.
I appreciate any help and guidance. I could write some ad hoc script to copy and upload the needed files from gcloud to s3 but I was hoping gsutil would be a better option.
Thanks in advance.
答案1
得分: 1
Using inline environment variables:
使用内联环境变量:
AWS_ACCESS_KEY_ID="THISISMYKEY" \
AWS_SECRET_ACCESS_KEY="THIS_IS_SECRET_KEY" \
aws s3 ls
is the quickest but least secure way of doing this. It's insecure because running history | grep "AWS_ACCESS_KEY_ID"
easily exposes the credentials used.
这是最快但安全性最低的方法。它不安全,因为运行 history | grep "AWS_ACCESS_KEY_ID"
很容易暴露使用的凭据。
A better approach is to not use inline shell variables, avoid setting the credentials manually on those places and just utilise the built-in AWS CLI command for configuring profiles for your machine.
更好的方法是不使用内联 shell 变量,在这些地方避免手动设置凭据,并仅使用内置的 AWS CLI 命令为您的计算机配置配置文件。
$ aws configure --profile allan
$ AWS Access Key ID [None]: THISISMYKEY
$ AWS Secret Access Key [None]: THIS_IS_SECRET_KEY
$ Default region name [None]: ap-southeast-1
$ Default output format [None]:
aws s3 ls --profile allan
If these two options don't work, consider seeking help from the person that issued your AWS credentials. The credentials may be stale, incorrect or lack permissions to query S3 buckets.
如果这两个选项不起作用,请考虑向颁发您的 AWS 凭据的人寻求帮助。这些凭据可能已过期、不正确或缺少查询 S3 存储桶的权限。
英文:
Using inline environment variables:
AWS_ACCESS_KEY_ID="THISISMYKEY" \
AWS_SECRET_ACCESS_KEY="THIS_IS_SECRET_KEY" \
aws s3 ls
is the quickest but least secure way of doing this. It's insecure because running history | grep "AWS_ACCESS_KEY_ID"
easily exposes the credentials used.
A better approach is to not use inline shell variables, avoid setting the credentials manually on those places and just utilise the built-in AWS CLI command for configuring profiles for your machine.
$ aws configure --profile allan
$ AWS Access Key ID [None]: THISISMYKEY
$ AWS Secret Access Key [None]: THIS_IS_SECRET_KEY
$ Default region name [None]: ap-southeast-1
$ Default output format [None]:
aws s3 ls --profile allan
If these two options don't work, consider seeking help from the person that issued your AWS credentials. The credentials may be stale, incorrect or lack permissions to query S3 buckets.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论