我是Boto和AWS的新手 . 有人可以提供下面的错误清晰度吗?我希望通过继承由附加到实例的IAM角色提供给它的凭据,从EC2实例中的BOTO访问s3和SSM服务 .
我在Amazon Linux IAM中这样做 . 在miniconda2中使用Python2 .
当我尝试连接到s3时,我收到以下凭据错误 .
import boto
boto.connect_s3()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/root/miniconda2/lib/python2.7/site-packages/boto/__init__.py", line 141, in connect_s3
return S3Connection(aws_access_key_id, aws_secret_access_key, **kwargs)
File "/root/miniconda2/lib/python2.7/site-packages/boto/s3/connection.py", line 194, in __init__
validate_certs=validate_certs, profile_name=profile_name)
File "/root/miniconda2/lib/python2.7/site-packages/boto/connection.py", line 555, in __init__
profile_name)
File "/root/miniconda2/lib/python2.7/site-packages/boto/provider.py", line 201, in __init__
self.get_credentials(access_key, secret_key, security_token, profile_name)
File "/root/miniconda2/lib/python2.7/site-packages/boto/provider.py", line 377, in get_credentials
self._populate_keys_from_metadata_server()
File "/root/miniconda2/lib/python2.7/site-packages/boto/provider.py", line 394, in _populate_keys_from_metadata_server
creds = self._get_credentials_from_metadata(metadata)
File "/root/miniconda2/lib/python2.7/site-packages/boto/provider.py", line 424, in _get_credentials_from_metadata
"%s" % (msg))
boto.exception.InvalidInstanceMetadataError: Expected a dict type of credentials instead received an empty string
You can set the 'metadata_service_num_attempts' in your boto config file to increase the number of times boto will attempt to retrieve credentials from the instance metadata service.
当我给它一个具有单个策略的IAM角色时,上面的代码可以工作,如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
}
只要我在策略中有多个规则,请参阅下面的json,我得到上面显示的堆栈错误:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:GetManifest",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:PutComplianceItems",
"ssm:PutConfigurePackageResult",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstanceStatus"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ds:CreateComputer",
"ds:DescribeDirectories"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource": "*"
}
]
}
我想避免在.aws / credentials文件中添加凭证串 .