S3请求从运行在ECS中的.Net核心应用程序超时
下面是我从s3获取对象的代码。这段代码在我的机器上本地工作,我在这里设置了一个aws配置文件和配置文件。我的印象是,如果我给我的ecs任务一个可以访问s3的角色,那么在我的代码中将访问密钥和秘密密钥传递给s3Client的情况下,它仍然可以工作。
S3 GET码
public async Task GetFilesFromS3Async(IEnumerable<FileDownloadViewModel> attachments)
{
foreach (var attachment in attachments)
{
var request = new GetObjectRequest()
{
BucketName = "bucketname",
Key = $"{attachment.SubBucket}/{attachment.ObjectId}/{attachment.FileName}"
};
using(var s3response = await _client.GetObjectAsync(request))
{
using (var memoryStream = new MemoryStream())
{
await s3response.ResponseStream.CopyToAsync(memoryStream);
memoryStream.Position = 0;
attachment.FileBytes = memoryStream.ToArray();
}
}
}
}s3客户端init
private readonly IAmazonS3 _client;
public S3Service(IAmazonS3 client)
{
_client = client;
}startup.cs代码
services.AddAWSService<IAmazonS3>();我的任务和ec2实例上的角色都有允许对s3进行写/读操作的策略。
编辑
关于运行容器的ec2实例和服务的策略:(基本上所有用于s3的get和put操作)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutAnalyticsConfiguration",
"s3:GetObjectVersionTagging",
"s3:CreateBucket",
"s3:ReplicateObject",
"s3:GetObjectAcl",
"s3:GetBucketObjectLockConfiguration",
"s3:DeleteBucketWebsite",
"s3:PutLifecycleConfiguration",
"s3:GetObjectVersionAcl",
"s3:DeleteObject",
"s3:GetBucketPolicyStatus",
"s3:GetObjectRetention",
"s3:GetBucketWebsite",
"s3:PutReplicationConfiguration",
"s3:PutObjectLegalHold",
"s3:GetObjectLegalHold",
"s3:GetBucketNotification",
"s3:PutBucketCORS",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObject",
"s3:PutBucketNotification",
"s3:PutBucketLogging",
"s3:PutBucketObjectLockConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetLifecycleConfiguration",
"s3:ListBucketByTags",
"s3:GetInventoryConfiguration",
"s3:GetBucketTagging",
"s3:PutAccelerateConfiguration",
"s3:DeleteObjectVersion",
"s3:GetBucketLogging",
"s3:ListBucketVersions",
"s3:RestoreObject",
"s3:GetBucketPolicy",
"s3:PutEncryptionConfiguration",
"s3:GetEncryptionConfiguration",
"s3:GetObjectVersionTorrent",
"s3:AbortMultipartUpload",
"s3:GetBucketRequestPayment",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:DeleteBucket",
"s3:PutBucketVersioning",
"s3:GetBucketPublicAccessBlock",
"s3:ListBucketMultipartUploads",
"s3:PutMetricsConfiguration",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:PutInventoryConfiguration",
"s3:GetObjectTorrent",
"s3:PutBucketWebsite",
"s3:PutBucketRequestPayment",
"s3:PutObjectRetention",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:ReplicateDelete",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::bucket/*",
"arn:aws:s3:::bucket"
]
}
]
}在我的前端应用程序的控制台中,我也会收到一个cors错误,但是在我的应用程序中其他地方没有cors问题。
回答 1
Stack Overflow用户
发布于 2019-10-01 02:35:13
超时听起来像是没有在网络级别设置的东西。如果是策略问题,我预计会出现权限错误的异常。我需要知道您的ECS任务角色和附加策略是什么样子的,以及用于ECS任务的启动和网络类型来排除建议。
- 检查角色和策略
使用策略模拟器来模拟GetObject操作为您的S3桶工作,使用您认为您在ECS任务中假设的策略。这将验证它不是政策或给你更多的细节。
验证正在使用的ECS任务角色,以及正在使用的角色是否附加了此策略。在这里分享您的角色和附加策略,如果您仍然认为这是一个策略问题。
- 验证联网
S3通常通过公共互联网访问。因此,如果您不允许ECS公开访问internet,它通常不会工作,我希望您在操作中看到超时。您需要检查任务所在的VPC是否有通过NAT网关进行的公共internet访问,或者VPC有一个专用端点,用于在私有VPC中设置S3桶。还需要确保ECS任务中使用的Security允许向公共internet发送出站HTTP/HTTPS (TCP端口80/443)。
这是一个更多的网络问题,您需要从serverfault.com获得帮助,但以下是一些开始跟踪网络问题的地方。
https://serverfault.com/questions/578571/accessing-amazon-s3-from-a-private-vpc-subnet
https://aws.amazon.com/premiumsupport/knowledge-center/s3-private-connection-no-authentication/
https://stackoverflow.com/questions/58175727
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号