错误 [CredentialsError]:配置中缺少凭据,但仅当 Fargate AWS 上 运行 时

Error [CredentialsError]: Missing credentials in config, but only when running on Fargate AWS

我建了一个docker文件和docker-compose.yml文件来导入环境。环境看起来像这样:

AWS_ACCESS_KEY_ID=XXX
AWS_SECRET_ACCESS_KEY=XXX
ROLE_ARN=XXX
BUCKET_NAME=BUCKET
AWS_PROFILE=default
AWS_SDK_LOAD_CONFIG=1
AWS_SHARED_CREDENTIALS_FILE=[path]
AWS_CONFIG_FILE=[path]
AWS_REGION=region

当我尝试将文件上传到 S3 时,当我 运行 在我的 PC 上使用 docker-compose up docker 但每当我在 Fargate 上 运行 它时它工作完美, 我收到这个错误

Error [CredentialsError]: Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1
    at Request.extractError (/home/myuser/node_modules/aws-sdk/lib/protocol/query.js:50:29)
    at Request.callListeners (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/home/myuser/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/home/myuser/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/home/myuser/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /home/myuser/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/home/myuser/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/home/myuser/node_modules/aws-sdk/lib/request.js:685:12)
    at Request.callListeners (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
    at Request.emit (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/home/myuser/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/home/myuser/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/home/myuser/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /home/myuser/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/home/myuser/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/home/myuser/node_modules/aws-sdk/lib/request.js:685:12)
    at Request.callListeners (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
    at callNextListener (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:96:12)
    at IncomingMessage.onEnd (/home/myuser/node_modules/aws-sdk/lib/event_listeners.js:307:13)
    at IncomingMessage.emit (events.js:322:22)
    at IncomingMessage.EventEmitter.emit (domain.js:482:12) {
  code: 'CredentialsError',
  time: 2020-06-11T12:47:25.609Z,
  requestId: '0d6fd3d4-df21-4195-a6e4-de470006429d',
  statusCode: 403,
  retryable: false,
  retryDelay: 80.8300420619739,
  originalError: {
    message: 'Could not load credentials from ChainableTemporaryCredentials',
    code: 'CredentialsError',
    time: 2020-06-11T12:47:25.609Z,
    requestId: '0d6fd3d4-df21-4195-a6e4-de470006429d',
    statusCode: 403,
    retryable: false,
    retryDelay: 80.8300420619739,
    originalError: {
      message: 'Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1',
      code: 'CredentialsError',
      time: 2020-06-11T12:47:25.609Z,
      requestId: '0d6fd3d4-df21-4195-a6e4-de470006429d',
      statusCode: 403,
      retryable: false,
      retryDelay: 80.8300420619739,
      originalError: [Object]
    }
  }
}

这是我的凭据代码的一部分:

    var envCreds = new AWS.EnvironmentCredentials('AWS');
    s3.config.credentials = envCreds;
    s3.config.credentials = new AWS.ChainableTemporaryCredentials({
        params: {
            RoleArn: process.env.ROLE_ARN,
            region: process.env.AWS_REGION
        }
    });

我需要转换角色。我试过使用 SharedIniFileCredentials 但没有运气,我总是得到 AccessDenied。

我使用控制台日志来记录凭据,唯一的区别是 region 在 Fargate 上设置为 ap-northeast-1,而在本地设置为 undefined。由于 bucket 和 Fargate 在同一台服务器上。我真的不知道这个地区来自哪里,这有什么关系。

这是一个错误还是我哪里错了?为什么它 运行 在我的 PC 上正常,但在 fargate 上却不行?那是因为 Fargate 中的环境冲突吗?几天来我一直在这个麻烦中,任何帮助将不胜感激。谢谢。

编辑:我想通了。不知何故,Docker 在我的 Fargate 中使用了不同的环境变量,当我尝试使用这些变量时,我在本地遇到了同样的错误。

根据评论。

针对身份验证问题的建议解决方案是使用 IAM Roles for Tasks,而不是将访问和密钥硬编码到代码中或将它们作为环境变量传递。

任务角色的使用符合 AWS 良好实践,即不对任何凭证进行硬编码,而是使用临时凭证:

With IAM roles for Amazon ECS tasks, you can specify an IAM role that can be used by the containers in a task. Applications must sign their AWS API requests with AWS credentials, and this feature provides a strategy for managing credentials for your applications to use, similar to the way that Amazon EC2 instance profiles provide credentials to EC2 instances.