如何在CFN脚本中访问受保护的S3文件？

Question

我正在尝试在我的cloudformation脚本中检索文件.如果我公开提供该文件,那么它可以正常工作.如果文件是私有的,则cfn脚本失败,但/ var/log /中有404错误.尝试通过wget检索文件会导致相应的403错误.

如何从S3检索私人文件？

我的文件子句如下:

    "files" : {
      "/etc/httpd/conf/httpd.conf" : { 
        "source" : "https://s3.amazonaws.com/myConfigBucket/httpd.conf"
      }
    },

我添加了一个验证子句和适当的参数:

"Parameters" : {
  "BucketRole" : {
    "Description" : "S3 role for access to bucket",
    "Type" : "String",
    "Default" : "S3Access",
    "ConstraintDescription" : "Must be a valid IAM Role"
  }
}

    "AWS::CloudFormation::Authentication": {
      "default" : {
        "type": "s3",
        "buckets": [ "myConfigBucket" ],
        "roleName": { "Ref" : "BucketRole" }
      }
    },

我的IAM角色如下所示:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "*"
    }
  ]
}

Answer 1

解决方案是将IamInstanceProfile属性添加到实例创建中:

   "Parameters" : {
     ...
     "RoleName" : {
       "Description" : "IAM Role for access to S3",
       "Type" : "String",
       "Default" : "DefaultRoleName",
       "ConstraintDescription" : "Must be a valid IAM Role"
     }
   },

   "Resources" : {
     "InstanceName" : {
       "Type" : "AWS::EC2::Instance",
       "Properties" : {
         "ImageId"             : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "64"] },
         "InstanceType"        : { "Ref" : "InstanceType" },
         "SecurityGroups"      : [ {"Ref" : "SecurityGroup"} ],
         "IamInstanceProfile"  : { "Ref" : "RoleName" },
         "KeyName"             : { "Ref" : "KeyName" }
       }
     },
     ...