使用凭证时无法列出存储桶,使用配置文件则可以列出存储桶。

huangapple go评论60阅读模式
英文:

AWS CLI - using credentials unable to list buckets, using profile I can list buckets

问题

我正在尝试了解以下情况。我已将$HOME/.aws/credentials设置如下:

[aws-users-andres]
aws_access_key_id = accesskey
aws_secret_access_key = UJPYNsecretkey

这些凭据会定期使用一些脚本和MFA进行刷新。环境中设置了$AWS_ACCESS_KEY_ID、AWS_SECRET_ACCESS_KEY和AWS_SESSION_TOKEN。

然后,我还有一个$HOME/.aws/config文件,其中包含公司用于访问不同资源的一组配置文件:

[profile profile_name]
role_arn = arn:aws:iam::1464549XXXX:role/profile_name
credential_source = Environment

现在,如果我尝试列出存储桶:

aws s3 ls

输出是"An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied"。

但是如果使用配置文件运行:

aws s3 ls --profile profile_name

我能够列出我们S3中的存储桶。

我想要在不指定配置文件的情况下列出存储桶,或者设置默认行为为使用profile_name。我最近被分配了一个任务,定期同步一些Google Cloud Storage存储桶与S3资源,我正在参考这里的想法https://stackoverflow.com/questions/39329580/exporting-data-from-google-cloud-storage-to-amazon-s3,但gsutil命令失败(对S3的访问被拒绝)。

我尝试过设置AWS_PROFILE和AWS_DEFAULT_PROFILE环境变量为profile_name,但似乎不起作用。

我感激任何帮助和指导。我可以编写一些临时脚本来复制和上传所需的文件从gcloud到s3,但我希望gsutil会是一个更好的选择。

提前感谢。

英文:

I'm trying to understand a bit the following situation. I have set $HOME/.aws/credentials as follows

[aws-users-andres]
aws_access_key_id = accesskey
aws_secret_access_key = UJPYNsecretkey

this credentials are refreshed periodically using some scripts and MFA. $AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN are set in the environment.

Then I also have $HOME/.aws/config file with a set of profiles that my company is using to access different resources:

[profile profile_name]
role_arn = arn:aws:iam::1464549XXXX:role/profile_name
credential_source = Environment

Now if I try to list the buckets:

aws s3 ls

The output is "An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied"

But running using the profile

aws s3 ls --profile profile_name 

I'm able to list the buckets in our S3.

I'd like to list the buckets without specifying the profile or set the default behavior to use profile_name . I was recently tasked with a task to periodically sync some google cloud storage bucket with s3 resources, and was following the ideas from here https://stackoverflow.com/questions/39329580/exporting-data-from-google-cloud-storage-to-amazon-s3 but the gsutil command fails ( Forbidden access to S3 )

I have tried to use AWS_PROFILE and AWS_DEFAULT_PROFILE env var set as profile_name but that doesn't seem to work.

I appreciate any help and guidance. I could write some ad hoc script to copy and upload the needed files from gcloud to s3 but I was hoping gsutil would be a better option.

Thanks in advance.

答案1

得分: 1

Using inline environment variables:

使用内联环境变量:

AWS_ACCESS_KEY_ID="THISISMYKEY" \
AWS_SECRET_ACCESS_KEY="THIS_IS_SECRET_KEY" \
aws s3 ls 

is the quickest but least secure way of doing this. It's insecure because running history | grep "AWS_ACCESS_KEY_ID" easily exposes the credentials used.

这是最快但安全性最低的方法。它不安全,因为运行 history | grep "AWS_ACCESS_KEY_ID" 很容易暴露使用的凭据。

A better approach is to not use inline shell variables, avoid setting the credentials manually on those places and just utilise the built-in AWS CLI command for configuring profiles for your machine.

更好的方法是不使用内联 shell 变量,在这些地方避免手动设置凭据,并仅使用内置的 AWS CLI 命令为您的计算机配置配置文件。

$ aws configure --profile allan
$ AWS Access Key ID [None]: THISISMYKEY
$ AWS Secret Access Key [None]: THIS_IS_SECRET_KEY
$ Default region name [None]: ap-southeast-1
$ Default output format [None]:

aws s3 ls --profile allan 

If these two options don't work, consider seeking help from the person that issued your AWS credentials. The credentials may be stale, incorrect or lack permissions to query S3 buckets.

如果这两个选项不起作用,请考虑向颁发您的 AWS 凭据的人寻求帮助。这些凭据可能已过期、不正确或缺少查询 S3 存储桶的权限。

英文:

Using inline environment variables:

AWS_ACCESS_KEY_ID="THISISMYKEY" \
AWS_SECRET_ACCESS_KEY="THIS_IS_SECRET_KEY" \
aws s3 ls 

is the quickest but least secure way of doing this. It's insecure because running history | grep "AWS_ACCESS_KEY_ID" easily exposes the credentials used.

A better approach is to not use inline shell variables, avoid setting the credentials manually on those places and just utilise the built-in AWS CLI command for configuring profiles for your machine.

$ aws configure --profile allan
$ AWS Access Key ID [None]: THISISMYKEY
$ AWS Secret Access Key [None]: THIS_IS_SECRET_KEY
$ Default region name [None]: ap-southeast-1
$ Default output format [None]:

aws s3 ls --profile allan 

If these two options don't work, consider seeking help from the person that issued your AWS credentials. The credentials may be stale, incorrect or lack permissions to query S3 buckets.

huangapple
  • 本文由 发表于 2023年7月4日 22:29:16
  • 转载请务必保留本文链接:https://go.coder-hub.com/76613642.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定