我创建了一个s3 vpc endpoints ,但我无法弄清楚ec2实例上的api cli语法与存储桶交互的内容是什么 .
"Resource": "arn:aws:s3:::MyBucketName"
从VPC配置页面
ENDPOINTID=vpce-dxxxxxxx SERVICE=com.amazonaws.eu-west-1.s3
s3政策
{ "Version": "2012-10-17", "Id": "MyPolicy", "Statement": [ { "Sid": "MySidId", "Effect": "Allow", "Principal": {
"AWS": "arn:aws:iam::xxxxxxxx:role/MyRole" }, "Action": "s3:*", "Resource": "arn:aws:s3:::MyBucketName" } ] }
ec2角色政策
{
"Sid": "MySidId",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"*"
]
}
描述前缀列表
{
"VpcEndpoints": [
{
"PolicyDocument": "{\"Version\":\"2008-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"*\",\"Resource\":\"*\"}]}",
"VpcId": "vpc-ec96cxxxx",
"State": "available",
"ServiceName": "com.amazonaws.eu-west-1.s3",
"RouteTableIds": [
"rtb-87cexxxx",
"rtb-bbcexxxx"
],
"VpcEndpointId": "vpce-d983xxxx",
"CreationTimestamp": "2016-01-05T13:28:41Z"
}
]
}
路由表 rtb-bbcexxxx 具有正确的 "PrefixListId": "pl-6da54xxx"
我尝试了以下内容
aws s3 --profile prf1 --region eu-west-1 ls MyBucketName.com.amazonaws.eu-west-1.s3
aws s3 --profile prf1 --region eu-west-1 ls com.amazonaws.eu-west-1.s3.MyBucketName
aws s3 --profile prf1 --region eu-west-1 ls com.amazonaws.eu-west-1.s3/MyBucketName
组合但得到
A client error (NoSuchBucket) occurred when calling the ListObjects operation: The specified bucket does not exist
解决此 endpoints 的正确语法是什么?它只是s3:// MyBucketName ??
谢谢
艺术
1 回答
它应该是,是的 - 实际访问存储桶的方式应该改变 .
将 endpoints 前缀列表与子网关联实际上会将路由劫持到DNS为S3区域返回的公共IP地址,以便您发送到S3的流量遍历“ endpoints ”而不是通过Internet网关发送(igw-xxxxxxxx) ) - 从您的角度来看,它只是VPC基础架构中的IP路由更改,因此无论您是否配置了S3 endpoints ,都应该不需要做任何改变 .
当然,我怀疑它实际上比“只是”路由表更改更多,但是其他任何可能在幕后发生的事情,其余部分包括AWS内部的实现细节,与如何无关服务对用户显示 .