问题描述
我有一个 ASG ,为每个添加的实例分配一个 IAM角色。因此,每个实例都具有 AWS_ACCESS_KEY_ID 和 AWS_SECRET_ACCESS_KEY 环境变量,其将在实例化下载时使用,解密存储在 S3 桶中并使用 KMS 密钥加密的凭据。
I've got an ASG that assigns an IAM Role to each of the instances that join it. Therefore, each instance has the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables baked-in, which will be used upon instantiation to download and decrypt credentials that are stored in an S3 bucket and encrypted using KMS keys.
所以我将有以下组件:
- 一个
S3桶称为top-secret.myapp.com - 此桶中的所有对象都使用
KMS密钥加密,名为My-KMS-Key - 一个
IAM带有内联策略的实例角色,赋予它与桶和KMS用于加密/解密桶内容的密钥(见下文) - 安装的$
用户数据脚本实例化后的aws-cli然后尝试从top-secret.myapp.com 桶。
- An
S3bucket calledtop-secret.myapp.com - All objects in this bucket are encrypted using a
KMSkey calledMy-KMS-Key - An
IAMinstance role with inline policies attached granting it the ability to interact with both the bucket and theKMSkey used to encrypt/decrypt the contents of the bucket (see below) - A
user datascript that installs theaws-cliupon instantiation and then goes about attempting to download and decrypt an object from thetop-secret.myapp.combucket.
用户数据脚本
在实例化后,任何给定的实例运行以下脚本:
Upon instantiation, any given instance runs the following script:
#!/bin/bash
apt-get update
apt-get -y install python-pip
apt-get -y install awscli
cd /home/ubuntu
aws s3 cp s3://top-secret.myapp.com/secrets.sh . --region us-east-1
chmod +x secrets.sh
. secrets.sh
shred -u -z -n 27 secrets.sh
IAM角色策略
IAM 角色为我的 ASG 实例有三个政策附带内联:
The IAM role for my ASG instances has three policies attached inline:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::top-secret.myapp.com"
]
},
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::top-secret.myapp.com/secrets.sh"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": "arn:aws:kms:us-east-1:UUID-OF-MY-SECRET-KEY-HERE"
}
]
}
第一个策略本质上是一个全根访问策略,没有限制。或者所以我想,但它不工作。所以我认为这可能是我需要明确地应用允许与 S3 加密和/或 KMS 进行交互的策略,有理由
The first policy is essentially a full-root-access policy with no restrictions. Or so I thought, but it doesn't work. So I thought it might be that I need to explicitly apply policies that allow interaction with S3 encryption and/or KMS, makes sense.
所以我添加了允许 IAM 实例角色列出 top-secret.myapp.com bucket和 LIST 和 GET code> secrets.sh 对象在桶中。但是这会产生如下所示的错误。
So I added the second policy that allows the IAM instance role to list the top-secret.myapp.com bucket, and LIST and GET the secrets.sh object within the bucket. But this produced the error illustrated below.
我获得的(未知的)错误
download failed: s3://top-secret.myapp.com/secrets.sh to ./secrets.sh
A client error (Unknown) occurred when calling the GetObject operation: Unknown
任何人都知道可能会导致此错误?
Anyone have any idea what could be causing this error?
推荐答案
对我来说问题是双重的:
For me, the issue was two-fold:
- 如果您通过KMS使用服务器端加密,则需要提供
- sse aws:kms标记到aws s3 cp [...]命令。 - 我正在通过
apt awscli(版本1.2.9) c>,那个版本无法识别- sse aws:kms命令
- 正在运行
apt-get remove awscli并通过安装安装awscli给了我的版本1.10.51,这是有效的。 >
- 正在运行
- If you're using server-side encryption via KMS, you need to supply the
--sse aws:kmsflag to theaws s3 cp [...]command. - I was installing an out-of-date version of
awscli(version 1.2.9) viaapt, and that version didn't recognize the--sse aws:kmscommand- Running
apt-get remove awscliand installing viapip install awscligave me version 1.10.51, which worked.
- Running
编辑:
如果您正在使用与帐户默认主密钥不同的KMS密钥,您还需要添加以下标志:
If you're using a different KMS key than the default master key for your account, you will need to also add the following flag:
- sse-kms-key-id [您的KMS密钥ID]
这篇关于EC2实例角色在尝试aws s3 cp KMS加密文件时获得“未知”错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!