问题描述
我有一个 ASG
,为每个添加的实例分配一个 IAM角色
。因此,每个实例都具有 AWS_ACCESS_KEY_ID
和 AWS_SECRET_ACCESS_KEY
环境变量,其将在实例化下载时使用,解密存储在 S3
桶中并使用 KMS
密钥加密的凭据。
I've got an ASG
that assigns an IAM Role
to each of the instances that join it. Therefore, each instance has the AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
environment variables baked-in, which will be used upon instantiation to download and decrypt credentials that are stored in an S3
bucket and encrypted using KMS
keys.
所以我将有以下组件:
- 一个
S3
桶称为top-secret.myapp.com
- 此桶中的所有对象都使用
KMS
密钥加密,名为My-KMS-Key
- 一个
IAM
带有内联策略的实例角色,赋予它与桶和KMS
用于加密/解密桶内容的密钥(见下文) - 安装的$
用户数据
脚本实例化后的aws-cli
然后尝试从top-secret.myapp.com $ c $中尝试下载和解密对象c>桶。
- An
S3
bucket calledtop-secret.myapp.com
- All objects in this bucket are encrypted using a
KMS
key calledMy-KMS-Key
- An
IAM
instance role with inline policies attached granting it the ability to interact with both the bucket and theKMS
key used to encrypt/decrypt the contents of the bucket (see below) - A
user data
script that installs theaws-cli
upon instantiation and then goes about attempting to download and decrypt an object from thetop-secret.myapp.com
bucket.
用户数据脚本
在实例化后,任何给定的实例运行以下脚本:
Upon instantiation, any given instance runs the following script:
#!/bin/bash
apt-get update
apt-get -y install python-pip
apt-get -y install awscli
cd /home/ubuntu
aws s3 cp s3://top-secret.myapp.com/secrets.sh . --region us-east-1
chmod +x secrets.sh
. secrets.sh
shred -u -z -n 27 secrets.sh
IAM角色策略
IAM
角色为我的
ASG
实例有三个政策附带内联:
The IAM
role for my ASG
instances has three policies attached inline:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::top-secret.myapp.com"
]
},
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::top-secret.myapp.com/secrets.sh"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": "arn:aws:kms:us-east-1:UUID-OF-MY-SECRET-KEY-HERE"
}
]
}
第一个策略本质上是一个全根访问策略,没有限制。或者所以我想,但它不工作。所以我认为这可能是我需要明确地应用允许与 S3
加密和/或 KMS
进行交互的策略,有理由
The first policy is essentially a full-root-access policy with no restrictions. Or so I thought, but it doesn't work. So I thought it might be that I need to explicitly apply policies that allow interaction with S3
encryption and/or KMS
, makes sense.
所以我添加了允许 IAM
实例角色列出 top-secret.myapp.com
bucket和 LIST
和 GET
code> secrets.sh 对象在桶中。但是这会产生如下所示的错误。
So I added the second policy that allows the IAM
instance role to list the top-secret.myapp.com
bucket, and LIST
and GET
the secrets.sh
object within the bucket. But this produced the error illustrated below.
我获得的(未知的)错误
download failed: s3://top-secret.myapp.com/secrets.sh to ./secrets.sh
A client error (Unknown) occurred when calling the GetObject operation: Unknown
任何人都知道可能会导致此错误?
Anyone have any idea what could be causing this error?
推荐答案
对我来说问题是双重的:
For me, the issue was two-fold:
- 如果您通过KMS使用服务器端加密,则需要提供
- sse aws:kms
标记到aws s3 cp [...]
命令。 - 我正在通过
apt $ c $安装一个过期版本的
awscli
(版本1.2.9) c>,那个版本无法识别- sse aws:kms
命令
- 正在运行
apt-get remove awscli
并通过安装安装awscli
给了我的版本1.10.51,这是有效的。 >
- 正在运行
- If you're using server-side encryption via KMS, you need to supply the
--sse aws:kms
flag to theaws s3 cp [...]
command. - I was installing an out-of-date version of
awscli
(version 1.2.9) viaapt
, and that version didn't recognize the--sse aws:kms
command- Running
apt-get remove awscli
and installing viapip install awscli
gave me version 1.10.51, which worked.
- Running
编辑:
如果您正在使用与帐户默认主密钥不同的KMS密钥,您还需要添加以下标志:
If you're using a different KMS key than the default master key for your account, you will need to also add the following flag:
- sse-kms-key-id [您的KMS密钥ID]
这篇关于EC2实例角色在尝试aws s3 cp KMS加密文件时获得“未知”错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!