我们正在尝试部署一个具有LaunchConfig、AutoScaling组和IAM角色的EC2堆栈。在Launch-config中,我们配置为在"AWS::CloudFormation::Init"的帮助下执行bash脚本。当EC2机器启动时,它无法从S3中获取引导文件。以下是错误日志。cfn-init.log
{
2020-02-21 17:48:48,663 https://forums.aws.amazon.com/ HTTP Error 404 : <?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>404 - Not Found</title>
</head>
<body>
<h1>404 - Not Found</h1>
</body>
</html>
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/cfnbootstrap/util.py", line 162, in _retry
return f(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/cfnbootstrap/util.py", line 286, in get_role_creds
resp.raise_for_status()
File "/usr/lib/python2.7/dist-packages/cfnbootstrap/packages/requests/models.py", line 834, in raise_for_status
raise HTTPError(http_error_msg, response=self)
HTTPError: 404 Client Error: Not Found
}
cloud-init-output.log
{
Error occurred during build: Failed to retrieve https://BUCKET_NAME.s3.amazonaws.com/BUCKET_PREFIX/scripts/bastion_bootstrap.sh: https://forums.aws.amazon.com/ HTTP Error 404 : <?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>404 - Not Found</title>
</head>
<body>
<h1>404 - Not Found</h1>
</body>
</html>
}
下面是我们拥有的CF模板:
BastionLaunchConfiguration:
Type: 'AWS::AutoScaling::LaunchConfiguration'
Metadata:
'AWS::CloudFormation::Authentication':
S3AccessCreds:
type: S3
roleName: !Ref BastionHostProfile
buckets:
- !Ref QSS3BucketName
'AWS::CloudFormation::Init':
config:
files:
/tmp/bastion_bootstrap.sh:
source: !Sub 'https://${QSS3BucketName}.s3.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/bastion_bootstrap.sh'
mode: '000550'
owner: root
group: root
authentication: S3AccessCreds
commands:
b-bootstrap:
cwd: '/tmp/'
command: !Join
- ''
- - ./bastion_bootstrap.sh
- ' --banner '
- !Ref BastionBanner
- ' --enable '
- !Ref EnableBanner
- ' --tcp-forwarding '
- !Ref EnableTCPForwarding
- ' --x11-forwarding '
- !Ref EnableX11Forwarding
Properties:
AssociatePublicIpAddress: true
PlacementTenancy: !Ref BastionTenancy
KeyName: !Ref KeyPairName
IamInstanceProfile: !Ref BastionHostProfile
ImageId: !If
- UseOSImageOverride
- !Ref OSImageOverride
- !FindInMap
- AWSAMIRegionMap
- !Ref 'AWS::Region'
- !FindInMap
- LinuxAMINameMap
- !Ref BastionAMIOS
- Code
SecurityGroups:
- !Ref BastionSecurityGroup
InstanceType: !Ref BastionInstanceType
BlockDeviceMappings:
- DeviceName: /dev/xvda
Ebs:
VolumeSize: !Ref RootVolumeSize
VolumeType: gp2
Encrypted: true
DeleteOnTermination: true
以下是我们分配给启动配置的IAM角色资源:
BastionHostRole:
Condition: CreateIAMRole
Type: 'AWS::IAM::Role'
Properties:
Path: /
AssumeRolePolicyDocument:
Statement:
- Action:
- 'sts:AssumeRole'
Principal:
Service:
- ec2.amazonaws.com
Effect: Allow
Version: 2012-10-17
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM'
BastionHostPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: BastionPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- 's3:*'
Resource: !Sub
- 'arn:${Partition}:s3:::${QSS3BucketName}/${QSS3KeyPrefix}*'
- Partition: !If
- GovCloudCondition
- aws-us-gov
- aws
Effect: Allow
- Action:
- 'logs:CreateLogStream'
- 'logs:GetLogEvents'
- 'logs:PutLogEvents'
- 'logs:DescribeLogGroups'
- 'logs:DescribeLogStreams'
- 'logs:PutRetentionPolicy'
- 'logs:PutMetricFilter'
- 'logs:CreateLogGroup'
Resource: !Sub
- arn:${Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${BastionMainLogGroup}:*
- Partition: !If
- GovCloudCondition
- aws-us-gov
- aws
Effect: Allow
- Action:
- 'ec2:AssociateAddress'
- 'ec2:DescribeAddresses'
Resource: '*'
Effect: Allow
Roles:
- !If
- CreateIAMRole
- !Ref BastionHostRole
- !Ref AlternativeIAMRole
BastionHostProfile:
DependsOn: BastionHostPolicy
Type: 'AWS::IAM::InstanceProfile'
Properties:
Roles:
- !If
- CreateIAMRole
- !Ref BastionHostRole
- !Ref AlternativeIAMRole
Path: /
有什么建议吗,我们该怎么解决?
乍一看,这里似乎有一个拼写错误。
'https://${QSS3BucketName}.s3.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/bastion_bootstrap.sh'
通常的格式是<BucketName>.s3-<Region>,这里有一个介于s3和region之间的句点。