阅读背景:

aws vpc s3端点cli语法

来源:互联网 

I have an s3 vpc endpoint created, but I cannot work out what the api cli syntax on an ec2 instance to interact with the bucket is.

我创建了一个s3 vpc端点,但我无法弄清楚ec2实例上的api cli语法与存储桶交互的内容是什么。

"Resource": "arn:aws:s3:::MyBucketName"

“资源”:“arn:aws:s3 ::: MyBucketName”

from the VPC config page

从VPC配置页面

ENDPOINTID=vpce-dxxxxxxx SERVICE=com.amazonaws.eu-west-1.s3

ENDPOINTID = vpce-dxxxxxxx SERVICE = com.amazonaws.eu-west-1.s3

s3 policy

s3政策

{   "Version": "2012-10-17",    "Id": "MyPolicy",   "Statement": [      {           "Sid": "MySidId",           "Effect": "Allow",          "Principal": {
                "AWS": "arn:aws:iam::xxxxxxxx:role/MyRole"          },          "Action": "s3:*",           "Resource": "arn:aws:s3:::MyBucketName"         }   ] }

ec2 role policy

ec2角色政策

{
             "Sid": "MySidId",
             "Effect": "Allow",
             "Action": [
                 "s3:ListBucket",
                 "s3:GetObject",
                 "s3:PutObject",
                 "s3:DeleteObject"
             ],
             "Resource": [
                 "*"
             ]
         }

describe-prefix-lists

描述前缀列表

{
             "VpcEndpoints": [
                 {
                     "PolicyDocument": "{\"Version\":\"2008-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"*\",\"Resource\":\"*\"}]}",
                     "VpcId": "vpc-ec96cxxxx",
                     "State": "available",
                     "ServiceName": "com.amazonaws.eu-west-1.s3",
                     "RouteTableIds": [
                         "rtb-87cexxxx",
                         "rtb-bbcexxxx"
                     ],
                     "VpcEndpointId": "vpce-d983xxxx",
                     "CreationTimestamp": "2016-01-05T13:28:41Z"
                 }
             ]
         }

route table rtb-bbcexxxx has correct "PrefixListId": "pl-6da54xxx"

路由表rtb-bbcexxxx具有正确的“PrefixListId”:“pl-6da54xxx”

I have tried the following

我尝试了以下内容

    aws s3 --profile prf1 --region eu-west-1 ls MyBucketName.com.amazonaws.eu-west-1.s3
    aws s3 --profile prf1 --region eu-west-1 ls com.amazonaws.eu-west-1.s3.MyBucketName
    aws s3 --profile prf1 --region eu-west-1 ls com.amazonaws.eu-west-1.s3/MyBucketName

combinations but get

组合,但得到

A client error (NoSuchBucket) occurred when calling the ListObjects operation: The specified bucket does not exist

What is the correct syntax to address this endpoint? is it just s3://MyBucketName??

解决此端点的正确语法是什么?它只是s3:// MyBucketName ??

thx

谢谢

Art

艺术

1 个解决方案

#1


1  

It should be, yes -- nothing about the way you actually access the bucket should change.

它应该是,是的 - 实际访问存储桶的方式应该改变。

Associating the endpoint prefix list with a subnet essentially hijacks the routes to the public IP addresses returned by DNS for the S3 region, so that the traffic you send to S3 traverses the "endpoint" rather than being sent through the Internet gateway (igw-xxxxxxxx) -- from your perspective, it's just an IP routing change within the VPC infrastructure, so you should need to do nothing different whether you have provisioned an S3 endpoint or not.

将端点前缀列表与子网相关联实际上会将路由劫持到DNS为S3区域返回的公共IP地址,以便您发送到S3的流量遍历“端点”而不是通过Internet网关发送(igw-xxxxxxxx) ) - 从您的角度来看,它只是VPC基础架构中的IP路由更改,因此无论您是否配置了S3端点,都应该不需要做任何改变。

Of course, I suspect there is actually more to it than "just" a route table change, but whatever else may be going on behind the scenes, the rest of it consists of implementation details that are internal to AWS and not relevant to how the service appears to the user.

当然,我怀疑它实际上比“只是”路由表更改更多,但是其他任何可能在幕后发生的事情,其余部分包括AWS内部的实现细节,与如何相关服务对用户显示。


分享到: