遵循AWS文档:https://docs.aws.aws.amazon.com/blockchain-templates/latest/developerguide/blockchain-templates-hyperledger.html使用文档中的IAM策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"s3:Get*",
"s3:List*"
],
"Resource": "*"
}
]
}
但未能启动堆栈。然后,我添加了所有以下权限:
AmazonEC2FullAccess
AmazonEC2ContainerRegistryFullAccess
AmazonS3FullAccess
AmazonEC2ContainerRegistryReadOnly
AmazonS3ReadOnlyAccess
AmazonEC2ContainerServiceFullAccess
AdministratorAccess
,但仍然没有运气,并得到了这个错误:
以下资源无法创建:[EC2Instancefordev]。
我应该添加哪些IAM策略来解决此错误?
谢谢!
HyperLeDger Fabric的官方AWS区块链云形成模板是一个嵌套模板(我们的基本模板调用了另一个模板,该模板可以在EC2实例上完成所有设置,该模板本身创建的EC2实例)。
但是问题在于它在EC2-Instance上完成了所有操作,除了安装Docker-Compose&它引发了一个错误,该错误在末尾找不到docker-compose命令,这会导致云形式模板破裂(Ec2instancefordev)并进行回滚。因此,我们可以使用较小的更改在EC2-Instance上手动运行相同的脚本,而不是使用CloudFormation模板。更改是事先安装Docker-Compose。REST设置保持不变,即 - 1。创建一个VPC,2。创建公共子网,3。创建EIP(如果要稍后将其附加)。4。为SSH创建密钥对,5。创建IAM角色&策略,6。使用Inbound 8080(TCP)创建安全组&22(SSH),7。在步骤(1to6)中启动具有创建资源的EC2实例。
AMI首选是 -
- AMI-1853AC65用于US-EAST-1
- AMI-25615740用于US-EAST-2
- AMI-DFF017B8用于US-WEST-2
Docker Image存储库 -
- 354658284331用于us-east-1
- 763976151875 for US-EAST-2
- 712425161857 for US-West-2
脚本要在EC2 上运行(给脚本CHMOD 777和CHMOD X) -
#!/bin/bash -x
sudo curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
docker-compose --version
res=$?
echo $res
mkdir /tmp/fabric-install/
cd /tmp/fabric-install/
wget https://aws-blockchain-templates-us-east-1.s3.us-east-1.amazonaws.com/hyperledger/fabric/templates/simplenetwork/latest/HyperLedger-BasicNetwork.tgz -O /home/ec2-user/HyperLedger-BasicNetwork.tgz
cd /home/ec2-user
tar xzvf HyperLedger-BasicNetwork.tgz
rm /home/ec2-user/HyperLedger-BasicNetwork.tgz
chown -R ec2-user:ec2-user HyperLedger-BasicNetwork
chmod +x /home/ec2-user/HyperLedger-BasicNetwork/artifacts/first-run-standalone.sh
/home/ec2-user/HyperLedger-BasicNetwork/artifacts/first-run-standalone.sh us-east-1 example.com org1 org2 org3 mychannel 354658284331.dkr.ecr.us-east-1.amazonaws.com/ 354658284331
res=$?
echo $res
iam策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "*"
}
]
}
注意 - 请替换您所在地区的适当AWS ECR帐号,以及上述脚本中适当的AWS区域,并且脚本具有(example.com org1 org2 org3 myChannel),请根据要求也更改此信息。它与我们在CF模板中输入时相同的rootdomain,org1 -subdomain,org2subdomain,org3subdomain,channelname)。
整个过程在美国东部1区域进行了测试。该脚本可以直接部署在US-EAST-1区域。访问HyperLeDger Web监视器接口(http://EC2-DNS OR EIP:8080)