S3客户端从Kubernetes服务帐户承担角色

ilmyapht  于 2024-01-07  发布在  Kubernetes
关注(0)|答案(1)|浏览(170)

我有一个Sping Boot 应用程序正在从EC2迁移到EKS。我在AWS中设置了一个角色和策略,该角色被附加到Pod的服务帐户。该应用程序将对象放在S3中,并为存储桶中的对象生成预签名的URL。它使用较旧的AWS SDK v1

  1. <dependency>
  2.     <groupId>com.amazonaws</groupId>
  3.     <artifactId>aws-java-sdk-s3</artifactId>
  4.     <version>1.12.273</version>
  5. </dependency>

字符串
并像这样设置S3Client:

  1. AmazonS3ClientBuilder.standard()
  2.                 .withRegion(awsRegion)
  3.                 .enablePathStyleAccess()
  4.                 .enablePayloadSigning()
  5.                 .withCredentials(new InstanceProfileCredentialsProvider(true))
  6.                 .build();


当部署在EC2上时,策略工作并具有与S3交互的权限。但是,当部署到EKS时,我从S3获得403:

  1. S3 failed with an error.  No link will be generated.
  2. com.amazonaws.services.s3.model.AmazonS3Exception: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; Request ID: xxxxxxxx; S3 Extended Request ID: xxxxxxxxxxxxxxxx; Proxy: null)
  3.     at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1879)
  4.     at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1418)
  5.     at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1387)
  6.     at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1157)
  7.     at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:814)
  8.     at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:781)
  9.     at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:755)
  10.     at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:715)
  11.     at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:697)
  12.     at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:561)
  13.     at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:541)
  14.     at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:5456)
  15.     at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:5403)
  16.     at com.amazonaws.services.s3.AmazonS3Client.getObjectMetadata(AmazonS3Client.java:1372)
  17.     at com.amazonaws.services.s3.AmazonS3Client.getObjectMetadata(AmazonS3Client.java:1346)
  18.     at com.amazonaws.services.s3.AmazonS3Client.doesObjectExist(AmazonS3Client.java:1427)


我在AWS控制台中看到该角色没有被使用。由于Pod的服务帐户正确地具有该角色,我的假设是应用程序不能承担该角色,因此出现了403。
我假设S3ClientBuilder中的Credentials Provider需要更改。S3Client中需要什么样的Credentials Provider才能从Pod上的Service Account承担角色?这是否可能不迁移到较新的v2 SDK(仍然可以迁移,但我会遇到同样的问题吗?)

kubernetes

1条答案

按热度按时间
mv1qrgav

mv1qrgav1#

感谢@jordanm的回答-在EKS上,

  1. .withCredentials(new InstanceProfileCredentialsProvider(true))

字符串
默认凭据提供程序链在AWS_ROLE_ARNAWS_WEB_IDENTITY_TOKEN_FILE上拾取。

赞(0)分享  回复(0)举报  2024-01-07
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com