Boto 无法访问具有正确 IAM 角色的 ECS 容器内的存储桶(但 Boto3 可以)
Boto is unable to access bucket inside ECS container which have correct IAM roles (but Boto3 can)
我有 ECS 容器,并且附加了如下 IAM 策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": "arn:aws:s3:::my_s3_bucket/*"
}
]
}
并同时安装了 boto 和 boto3。
我可以使用 boto3 列出存储桶,但不能通过 boto 列出。请看下面的代码:
import boto3
s3_conn = boto3.client('s3')
s3_conn.list_objects(Bucket='my_s3_bucket')
'Owner': {u'DisplayName': 'shoppymcgee', u'ID': 'adf3425700e4f995d8773a8b********'}, u'Size': 116399950}, {u'LastModified': datetime.datetime(2013, 5, 18, 6, 35, 6, tzinfo=tzlocal()), u'ETag': '"2b4a4d60458cde1685c93dabf98c6e19"', u'StorageClass': 'STANDARD', u'Key': u'2013/05/18/SLPH_201305180605_eligible-product-feed.txt', u'Owner': {u'DisplayName': 'shoppymcgee', u'ID': 'adf3425700e4f995d8773a8be6b0df09d06751f3274d8be5e8ae04761a5eef09'},
import boto
conn = boto.connect_s3()
print conn
S3Connection:s3.amazonaws.com
mybucket = conn.get_bucket('my_s3_bucket')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python2.7/site-packages/boto/s3/connection.py", line 509, in get_bucket
return self.head_bucket(bucket_name, headers=headers)
File "/usr/local/lib/python2.7/site-packages/boto/s3/connection.py", line 528, in head_bucket
response = self.make_request('HEAD', bucket_name, headers=headers)
File "/usr/local/lib/python2.7/site-packages/boto/s3/connection.py", line 671, in make_request
retry_handler=retry_handler
File "/usr/local/lib/python2.7/site-packages/boto/connection.py", line 1071, in make_request
retry_handler=retry_handler)
File "/usr/local/lib/python2.7/site-packages/boto/connection.py", line 943, in _mexe
request.body, request.headers)
boto 版本 - boto==2.48.0
boto3 和 botocore 的版本 - botocore==1.7.41 和 boto3==1.4.7
Boto 不支持 AWS_CONTAINER_CREDENTIALS_RELATIVE_URI 环境变量,这使得 containers/tasks 能够使用任务特定的 IAM 角色。
如果您在 GitHub 上搜索 Boto 存储库中的环境变量,您将不会找到任何代码命中和一个要求实施它的未解决问题 - https://github.com/boto/boto/search?q=AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
在添加支持之前(如果它完全处于 boto 的维护状态),使用 boto 的唯一方法是 call the metadata service manually on curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI,检索凭据并手动将它们传递给boto(不过要注意临时凭证的过期时间)。
或者迁移到 boto3。
我有 ECS 容器,并且附加了如下 IAM 策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": "arn:aws:s3:::my_s3_bucket/*"
}
]
}
并同时安装了 boto 和 boto3。
我可以使用 boto3 列出存储桶,但不能通过 boto 列出。请看下面的代码:
import boto3
s3_conn = boto3.client('s3')
s3_conn.list_objects(Bucket='my_s3_bucket')
'Owner': {u'DisplayName': 'shoppymcgee', u'ID': 'adf3425700e4f995d8773a8b********'}, u'Size': 116399950}, {u'LastModified': datetime.datetime(2013, 5, 18, 6, 35, 6, tzinfo=tzlocal()), u'ETag': '"2b4a4d60458cde1685c93dabf98c6e19"', u'StorageClass': 'STANDARD', u'Key': u'2013/05/18/SLPH_201305180605_eligible-product-feed.txt', u'Owner': {u'DisplayName': 'shoppymcgee', u'ID': 'adf3425700e4f995d8773a8be6b0df09d06751f3274d8be5e8ae04761a5eef09'},
import boto
conn = boto.connect_s3()
print conn
S3Connection:s3.amazonaws.com
mybucket = conn.get_bucket('my_s3_bucket')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python2.7/site-packages/boto/s3/connection.py", line 509, in get_bucket
return self.head_bucket(bucket_name, headers=headers)
File "/usr/local/lib/python2.7/site-packages/boto/s3/connection.py", line 528, in head_bucket
response = self.make_request('HEAD', bucket_name, headers=headers)
File "/usr/local/lib/python2.7/site-packages/boto/s3/connection.py", line 671, in make_request
retry_handler=retry_handler
File "/usr/local/lib/python2.7/site-packages/boto/connection.py", line 1071, in make_request
retry_handler=retry_handler)
File "/usr/local/lib/python2.7/site-packages/boto/connection.py", line 943, in _mexe
request.body, request.headers)
boto 版本 - boto==2.48.0
boto3 和 botocore 的版本 - botocore==1.7.41 和 boto3==1.4.7
Boto 不支持 AWS_CONTAINER_CREDENTIALS_RELATIVE_URI 环境变量,这使得 containers/tasks 能够使用任务特定的 IAM 角色。
如果您在 GitHub 上搜索 Boto 存储库中的环境变量,您将不会找到任何代码命中和一个要求实施它的未解决问题 - https://github.com/boto/boto/search?q=AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
在添加支持之前(如果它完全处于 boto 的维护状态),使用 boto 的唯一方法是 call the metadata service manually on curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI,检索凭据并手动将它们传递给boto(不过要注意临时凭证的过期时间)。
或者迁移到 boto3。