错误 [CredentialsError]:配置中缺少凭据,但仅当 Fargate AWS 上 运行 时
Error [CredentialsError]: Missing credentials in config, but only when running on Fargate AWS
我建了一个docker文件和docker-compose.yml文件来导入环境。环境看起来像这样:
AWS_ACCESS_KEY_ID=XXX
AWS_SECRET_ACCESS_KEY=XXX
ROLE_ARN=XXX
BUCKET_NAME=BUCKET
AWS_PROFILE=default
AWS_SDK_LOAD_CONFIG=1
AWS_SHARED_CREDENTIALS_FILE=[path]
AWS_CONFIG_FILE=[path]
AWS_REGION=region
当我尝试将文件上传到 S3 时,当我 运行 在我的 PC 上使用 docker-compose up
docker 但每当我在 Fargate 上 运行 它时它工作完美, 我收到这个错误
Error [CredentialsError]: Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1
at Request.extractError (/home/myuser/node_modules/aws-sdk/lib/protocol/query.js:50:29)
at Request.callListeners (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/home/myuser/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/home/myuser/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/home/myuser/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /home/myuser/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/home/myuser/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/home/myuser/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
at Request.emit (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/home/myuser/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/home/myuser/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/home/myuser/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /home/myuser/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/home/myuser/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/home/myuser/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
at callNextListener (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:96:12)
at IncomingMessage.onEnd (/home/myuser/node_modules/aws-sdk/lib/event_listeners.js:307:13)
at IncomingMessage.emit (events.js:322:22)
at IncomingMessage.EventEmitter.emit (domain.js:482:12) {
code: 'CredentialsError',
time: 2020-06-11T12:47:25.609Z,
requestId: '0d6fd3d4-df21-4195-a6e4-de470006429d',
statusCode: 403,
retryable: false,
retryDelay: 80.8300420619739,
originalError: {
message: 'Could not load credentials from ChainableTemporaryCredentials',
code: 'CredentialsError',
time: 2020-06-11T12:47:25.609Z,
requestId: '0d6fd3d4-df21-4195-a6e4-de470006429d',
statusCode: 403,
retryable: false,
retryDelay: 80.8300420619739,
originalError: {
message: 'Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1',
code: 'CredentialsError',
time: 2020-06-11T12:47:25.609Z,
requestId: '0d6fd3d4-df21-4195-a6e4-de470006429d',
statusCode: 403,
retryable: false,
retryDelay: 80.8300420619739,
originalError: [Object]
}
}
}
这是我的凭据代码的一部分:
var envCreds = new AWS.EnvironmentCredentials('AWS');
s3.config.credentials = envCreds;
s3.config.credentials = new AWS.ChainableTemporaryCredentials({
params: {
RoleArn: process.env.ROLE_ARN,
region: process.env.AWS_REGION
}
});
我需要转换角色。我试过使用 SharedIniFileCredentials 但没有运气,我总是得到 AccessDenied。
我使用控制台日志来记录凭据,唯一的区别是
region
在 Fargate 上设置为 ap-northeast-1
,而在本地设置为 undefined
。由于 bucket 和 Fargate 在同一台服务器上。我真的不知道这个地区来自哪里,这有什么关系。
这是一个错误还是我哪里错了?为什么它 运行 在我的 PC 上正常,但在 fargate 上却不行?那是因为 Fargate 中的环境冲突吗?几天来我一直在这个麻烦中,任何帮助将不胜感激。谢谢。
编辑:我想通了。不知何故,Docker 在我的 Fargate 中使用了不同的环境变量,当我尝试使用这些变量时,我在本地遇到了同样的错误。
根据评论。
针对身份验证问题的建议解决方案是使用 IAM Roles for Tasks,而不是将访问和密钥硬编码到代码中或将它们作为环境变量传递。
任务角色的使用符合 AWS 良好实践,即不对任何凭证进行硬编码,而是使用临时凭证:
With IAM roles for Amazon ECS tasks, you can specify an IAM role that can be used by the containers in a task. Applications must sign their AWS API requests with AWS credentials, and this feature provides a strategy for managing credentials for your applications to use, similar to the way that Amazon EC2 instance profiles provide credentials to EC2 instances.
我建了一个docker文件和docker-compose.yml文件来导入环境。环境看起来像这样:
AWS_ACCESS_KEY_ID=XXX
AWS_SECRET_ACCESS_KEY=XXX
ROLE_ARN=XXX
BUCKET_NAME=BUCKET
AWS_PROFILE=default
AWS_SDK_LOAD_CONFIG=1
AWS_SHARED_CREDENTIALS_FILE=[path]
AWS_CONFIG_FILE=[path]
AWS_REGION=region
当我尝试将文件上传到 S3 时,当我 运行 在我的 PC 上使用 docker-compose up
docker 但每当我在 Fargate 上 运行 它时它工作完美, 我收到这个错误
Error [CredentialsError]: Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1
at Request.extractError (/home/myuser/node_modules/aws-sdk/lib/protocol/query.js:50:29)
at Request.callListeners (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/home/myuser/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/home/myuser/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/home/myuser/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /home/myuser/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/home/myuser/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/home/myuser/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
at Request.emit (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/home/myuser/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/home/myuser/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/home/myuser/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /home/myuser/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/home/myuser/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/home/myuser/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
at callNextListener (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:96:12)
at IncomingMessage.onEnd (/home/myuser/node_modules/aws-sdk/lib/event_listeners.js:307:13)
at IncomingMessage.emit (events.js:322:22)
at IncomingMessage.EventEmitter.emit (domain.js:482:12) {
code: 'CredentialsError',
time: 2020-06-11T12:47:25.609Z,
requestId: '0d6fd3d4-df21-4195-a6e4-de470006429d',
statusCode: 403,
retryable: false,
retryDelay: 80.8300420619739,
originalError: {
message: 'Could not load credentials from ChainableTemporaryCredentials',
code: 'CredentialsError',
time: 2020-06-11T12:47:25.609Z,
requestId: '0d6fd3d4-df21-4195-a6e4-de470006429d',
statusCode: 403,
retryable: false,
retryDelay: 80.8300420619739,
originalError: {
message: 'Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1',
code: 'CredentialsError',
time: 2020-06-11T12:47:25.609Z,
requestId: '0d6fd3d4-df21-4195-a6e4-de470006429d',
statusCode: 403,
retryable: false,
retryDelay: 80.8300420619739,
originalError: [Object]
}
}
}
这是我的凭据代码的一部分:
var envCreds = new AWS.EnvironmentCredentials('AWS');
s3.config.credentials = envCreds;
s3.config.credentials = new AWS.ChainableTemporaryCredentials({
params: {
RoleArn: process.env.ROLE_ARN,
region: process.env.AWS_REGION
}
});
我需要转换角色。我试过使用 SharedIniFileCredentials 但没有运气,我总是得到 AccessDenied。
我使用控制台日志来记录凭据,唯一的区别是
region
在 Fargate 上设置为 ap-northeast-1
,而在本地设置为 undefined
。由于 bucket 和 Fargate 在同一台服务器上。我真的不知道这个地区来自哪里,这有什么关系。
这是一个错误还是我哪里错了?为什么它 运行 在我的 PC 上正常,但在 fargate 上却不行?那是因为 Fargate 中的环境冲突吗?几天来我一直在这个麻烦中,任何帮助将不胜感激。谢谢。
编辑:我想通了。不知何故,Docker 在我的 Fargate 中使用了不同的环境变量,当我尝试使用这些变量时,我在本地遇到了同样的错误。
根据评论。
针对身份验证问题的建议解决方案是使用 IAM Roles for Tasks,而不是将访问和密钥硬编码到代码中或将它们作为环境变量传递。
任务角色的使用符合 AWS 良好实践,即不对任何凭证进行硬编码,而是使用临时凭证:
With IAM roles for Amazon ECS tasks, you can specify an IAM role that can be used by the containers in a task. Applications must sign their AWS API requests with AWS credentials, and this feature provides a strategy for managing credentials for your applications to use, similar to the way that Amazon EC2 instance profiles provide credentials to EC2 instances.