内容纲要
关于我使用AWS CLI踩的坑
1.前言
因为要使用CLI来连接S3,来验证一些东西,从S3下载一些东西。所以在EC2上下载了CLI并进行了配置,当我输入aws s3 ls发现报错:
An error occurred (NoSuchBucket) when calling the ListObjectsV2 operation: The specified bucket does not exist好家伙不能访问,以前都没事的,为啥一用公司的账号就出现这个情况?于是开始了一天的摸索。
2.解决方案的尝试和发现
查阅网上,基本就是cli配置有问题,加–profile
aws configure --profile mfa
AWS Access Key ID [None]: ****************
AWS Secret Access Key [None]: ****************
Default region name [None]: ap-northeast-1
Default output format [None]:json
然后就是说因为是设置了MFA导致CLI也要设置MFA需要获取临时MFA的token来设置
aws sts get-session-token --serial-number --token-code <6桁のMFA用トークン> --duration-seconds <有効期間> --profile mfa 获取之后会返回
{
"Credentials": {
"AccessKeyId": "*****",
"SecretAccessKey": "*****",
"SessionToken": "*****",
"Expiration": "2023-09-05T18:47:23+00:00"
}
}使用
export AWS_ACCESS_KEY_ID=*****
export AWS_SECRET_ACCESS_KEY=*****
export AWS_SESSION_TOKEN=******************************一般可以解决!
最后去看Policy
发现
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowIndividualUserToManageTheirOwnMFA",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:ListMFADevices"
],
"Resource": [
"arn:aws:iam::*:mfa/${aws:username}",
"arn:aws:iam::*:user/${aws:username}"
]
},
{
"Sid": "BlockMostAccessUnlessSignedInWithMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:ListMFADevices"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}好家伙,不用MFA就不给用。
删除这个策略后恢复。