如何让 VPC 端点在 Docker 容器中工作？

Question

我无法让 AWS CLI 从 Docker 容器中的 S3 下载文本文件。有一个 VPC 设置，其 VPC 端点已获得 S3 策略批准：

\n\n

{\n  "Version": "2012-10-17",\n  "Statement": [\n    {\n      "Sid": "DenyUnEncryptedObjectUploads",\n      "Effect": "Deny",\n      "Principal": "*",\n      "Action": "s3:PutObject",\n      "Resource": "arn:aws:s3:::secret-store/*",\n      "Condition": {\n        "StringNotEquals": {\n          "s3:x-amz-server-side-encryption": "AES256"\n        }\n      }\n    },\n    {\n      "Sid": " DenyUnEncryptedInflightOperations",\n      "Effect": "Deny",\n      "Principal": "*",\n      "Action": "s3:*",\n      "Resource": "arn:aws:s3:::secret-store/*",\n      "Condition": {\n        "Bool": {\n          "aws:SecureTransport": "false"\n        }\n      }\n    },\n    {\n      "Sid": "Access-to-specific-VPCE-only",\n      "Effect": "Deny",\n      "Principal": "*",\n      "Action": [\n        "s3:GetObject",\n        "s3:PutObject",\n        "s3:DeleteObject"\n      ],\n      "Resource": "arn:aws:s3:::secret-store/*",\n      "Condition": {\n        "StringNotEquals": {\n          "aws:sourceVpce": "vpce-de7893b7"\n        }\n      }\n    }\n  ]\n}\n

\n\n

我正在使用安装 AWS CLI 并调用入口点脚本的 Dockerfile：

\n\n

FROM java:8\nRUN apt-get update && \\\n    apt-get -y install python curl unzip && cd /tmp && \\\n    curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" \\\n    -o "awscli-bundle.zip" && \\\n    unzip awscli-bundle.zip && \\\n    ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws && \\\n    rm awscli-bundle.zip && rm -rf awscli-bundle\n\nCOPY entrypoint.sh /entrypoint.sh\n\nENTRYPOINT ["/entrypoint.sh"]\n

\n\n

入口点脚本设置 AWS CLI 配置文件并调用aws s3 cp s3://bucket/file.txt -：

\n\n

#!/bin/bash\n\nmkdir ~/.aws\n\necho \'[default]\naws_access_key_id=\naws_secret_access_key=\noutput=json\nregion=us-west-2\' > ~/.aws/config\n\naws --version\n\naws s3 cp s3://secret-store/test.txt -\n

\n\n

当我从 EC2 CLI 运行入口点脚本时，我得到了预期的授权响应：

\n\n

[ec2-user@ip-10-0-1-86 ~]$ ./entrypoint.sh\nmkdir: cannot create directory \xe2\x80\x98/home/ec2-user/.aws\xe2\x80\x99: File exists\naws-cli/1.11.22 Python/2.7.5 Linux/3.10.0-514.el7.x86_64 botocore/1.4.79\nHello secure VPC world!\n

\n\n

但是，download failed (Forbidden)当我从成功运行的同一主机上的 Docker 映像运行相同的脚本时，出现错误：

\n\n

[ec2-user@ip-10-0-1-86 ~]$ docker build . -t test && docker run test\nSending build context to Docker daemon 15.89 MB\nStep 1 : FROM java:8\n ---> 861e95c114d6\nStep 2 : RUN apt-get update &&     apt-get -y install python curl unzip && cd /tmp &&     curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip"     -o "awscli-bundle.zip" &&     unzip awscli-bundle.zip &&     ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws &&     rm awscli-bundle.zip && rm -rf awscli-bundle\n ---> Using cache\n ---> c948b9caeaae\nStep 3 : COPY entrypoint.sh /entrypoint.sh\n ---> Using cache\n ---> 9c1774cc5d57\nStep 4 : ENTRYPOINT /entrypoint.sh\n ---> Running in 98179b1b7172\n ---> d8f12456a198\nRemoving intermediate container 98179b1b7172\nSuccessfully built d8f12456a198\naws-cli/1.11.22 Python/2.7.9 Linux/3.10.0-514.el7.x86_64 botocore/1.4.79\ndownload failed: s3://secret-store/test.txt to - An error occurred (403) when calling the HeadObject operation: Forbidden\n

\n\n

有人知道为什么我在与我获得成功响应的同一主机上运行的 docker 容器中收到 Forbidden 响应吗？

\n

Answer 1

VPC 终端节点使用内部地址，因此如果您的构建容器正在解析外部 s3 终端节点，则该策略将不适用。Docker 构建应该只使用桥接网络，但您可以将 nslookup 调试行添加到 Dockerfile 中，并与它工作的主机上的相同命令进行比较。

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html