我创建了一个s3 vpc端点,但我无法计算出ec2实例上与bucket交互的api cli语法是什么。
"Resource": "arn:aws:s3:::MyBucketName"
从VPC配置页面
ENDPOINTID=vpce-dxxxxxxx SERVICE=com.amazonaws.eu-west-1.s3
s3策略
{ "Version": "2012-10-17", "Id": "MyPolicy", "Statement": [ { "Sid": "MySidId", "Effect": "Allow", "Principal": {
"AWS": "arn:aws:iam::xxxxxxxx:role/MyRole" }, "Action": "s3:*", "Resource": "arn:aws:s3:::MyBucketName" } ] }
ec2角色策略
{
"Sid": "MySidId",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"*"
]
}
描述前缀列表
{
"VpcEndpoints": [
{
"PolicyDocument": "{"Version":"2008-10-17","Statement":[{"Sid":"","Effect":"Allow","Principal":"*","Action":"*","Resource":"*"}]}",
"VpcId": "vpc-ec96cxxxx",
"State": "available",
"ServiceName": "com.amazonaws.eu-west-1.s3",
"RouteTableIds": [
"rtb-87cexxxx",
"rtb-bbcexxxx"
],
"VpcEndpointId": "vpce-d983xxxx",
"CreationTimestamp": "2016-01-05T13:28:41Z"
}
]
}
路由表rtb-bbcexxxx具有正确的"PrefixListId": "pl-6da54xxx"
我试过以下
aws s3 --profile prf1 --region eu-west-1 ls MyBucketName.com.amazonaws.eu-west-1.s3
aws s3 --profile prf1 --region eu-west-1 ls com.amazonaws.eu-west-1.s3.MyBucketName
aws s3 --profile prf1 --region eu-west-1 ls com.amazonaws.eu-west-1.s3/MyBucketName
组合,但获得
A client error (NoSuchBucket) occurred when calling the ListObjects operation: The specified bucket does not exist
处理此端点的正确语法是什么?它只是s3://MyBucketName吗??
thx
艺术
应该是,是的——实际访问bucket的方式不应该改变。
将端点前缀列表与子网关联本质上劫持了DNS为S3区域返回的公共IP地址的路由,因此您发送到S3的流量穿过"端点",而不是通过互联网网关(igw-xxxxxxxx)发送——从您的角度来看,这只是VPC基础设施内的IP路由更改,因此,无论是否提供了S3端点,都不需要做任何不同的事情。
当然,我怀疑它实际上不仅仅是"仅仅"更改路由表,但无论幕后发生了什么,其余部分都由AWS内部的实现细节组成,与用户对服务的外观无关。
您应该尝试
aws s3 ls --region eu-west-1 s3://MyBucketName
这应该可以很好地处理端点。S3Uri前缀为s3://