【以下的问题经过翻译处理】 我有一个EC2服务器“deploy”,其中包含一个“deploy-server-profile”,其中包含一个“deploy-server-role”。我的“deploy-server-role”有一个附加的管理策略“all-servers”,其中包含2个规则:
- Effect: "Allow"
Action:
- "s3:GetObject"
Resource:
- "arn:aws:s3:::my-app-builds/infrastructure/master/cloud-init"
- Effect: "Allow"
Action:
- "s3:ListBucket"
Resource:
- "arn:aws:s3:::my-app-builds"
在服务器上,我确保AWS CLI使用该角色运行:
ubuntu@ip-10-63-1-114:~$ aws sts get-caller-identity | jq .Arn
"arn:aws:sts::<my_aws_account>:assumed-role/deploy-server-role/<instance_id>"
并且我验证了我可以列出存储桶:
ubuntu@ip-10-63-1-114:~$ aws s3 ls s3://my-app-builds
PRE infrastructure/
但我无法下载“cloud-init”文件:
ubuntu@ip-10-63-1-114:~$ aws s3api get-object --bucket my-app-builds --key infrastructure/master/cloud-init /tmp/cloud-init.sh
An error occurred (AccessDenied) when calling the GetObject operation: Access Denied