我创建了Dockerrun.aws.json
文件,并在创建Beanstalk(docker)环境期间将其上传。我还将.dockercfg
“ docker login”命令创建的文件上传到Dockerrun.aws.json
配置中指定的S3存储桶中。
但是,当我尝试启动环境时,收到错误消息(文章底部),指出EC2实例无法访问.dockercfg
存储桶中的文件。如何确保beantalk应用程序可以访问提供的S3存储桶中的config json文件?
谢谢!(以下错误)
i-64c62de7 Severe 1 day - - - - - - - - - - 0.00 0.01 0.3 0.0 0.0 99.6 0.1
Application deployment failed at 2016-02-27T04:30:54Z with exit status 1 and error: Hook /opt/elasticbeanstalk/hooks/appdeploy/pre/03build.sh failed.
Traceback (most recent call last):
File "/opt/elasticbeanstalk/containerfiles/support/download_auth.py", line 18, in
download_auth(argv[1], argv[2], get_instance_identity()['document']['region'])
File "/opt/elasticbeanstalk/containerfiles/support/download_auth.py", line 15, in download_auth
key.get_contents_to_filename('/root/.dockercfg')
File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 1712, in get_contents_to_filename
response_headers=response_headers)
File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 1650, in get_contents_to_file
response_headers=response_headers)
File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 1482, in get_file
query_args=None)
File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 1514, in _get_file_internal
override_num_retries=override_num_retries)
File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 343, in open
override_num_retries=override_num_retries)
File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 303, in open_read
self.resp.reason, body)
boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden
<?xml version="1.0" encoding="UTF-8"?>
AccessDeniedAccess Denied910AD275D3E3110A682j0cjMsfurjyy/PGT3W9wRxI+4sh+rrESuw2WpInERcn4p4f9XGwBFdpBmDYQc
Failed to download authentication credentials dockercfg from my-s3-bucket.
您必须确保使用的AIM角色有权访问存储桶和密钥。就像是
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BucketAccess",
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::mybucket"
]
},
{
"Sid": "S3ObjectAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::mybucket/*"
]
}
]
}
如果您不这样做,则应该从.ebextensions指向一个IAM,而不是让EB创建自己的IAM,以便您可以控制它
- namespace: aws:autoscaling:launchconfiguration
option_name: IamInstanceProfile
value: arn:aws:iam::xxxxxxxxx:instance-profile/yourRole
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句