amazon-web-services - 在调用HeadObject操作时,Amazon Web Services AWS CLI发生了一个客户端错误( 403 ): 禁止

我试图设置Amazon Linux AMI(ami-f0091d91),它运行一个copy命令,从S3 bucket复制数据。


 aws --debug s3 cp s3://aws-codedeploy-us-west-2/latest/codedeploy-agent.noarch.rpm .



这个脚本在本地计算机上工作得很好,但在Amazon镜像上失败,错误如下:


2016-03-22 01:07:47,110 - MainThread - botocore.auth - DEBUG - StringToSign:


HEAD



Tue, 22 Mar 2016 01:07:47 GMT


x-amz-security-token:AQoDYXdzEPr//////////wEa4ANtcDKVDItVq8Z5OKms8wpQ3MS4dxLtxVq6Om1aWDhLmZhL2zdqiasNBV4nQtVqwyPsRVyxl1Urq1BBCnZzDdl4blSklm6dvu+3efjwjhudk7AKaCEHWlTd/VR3cksSNMFTcI9aIUUwzGW8lD9y8MVpKzDkpxzNB7ZJbr9HQNu8uF/st0f45+ABLm8X4FsBPCl2I3wKqvwV/s2VioP/tJf7RGQK3FC079oxw3mOid5sEi28o0Qp4h/Vy9xEHQ28YQNHXOBafHi0vt7vZpOtOfCJBzXvKbk4zRXbLMamnWVe3V0dArncbNEgL1aAi1ooSQ8+Xps8ufFnqDp7HsquAj50p459XnPedv90uFFd6YnwiVkng9nNTAF+2Jo73+eKTt955Us25Chxvk72nAQsAZlt6NpfR+fF/Qs7jjMGSF6ucjkKbm0x5aCqCw6YknsoE1Rtn8Qz9tFxTmUzyCTNd7uRaxbswm7oHOdsM/Q69otjzqSIztlwgUh2M53LzgChQYx5RjYlrjcyAolRguJjpSq3LwZ5NEacm/W17bDOdaZL3y1977rSJrCxb7lmnHCOER5W0tsF9+XUGW1LMX69EWgFYdn5QNqFk6mcJsZWrR9dkehaQwjLPcv/29QcM+b5u/0goazCtwU=


/aws-codedeploy-us-west-2/latest/codedeploy-agent.noarch.rpm


2016-03-22 01:07:47,111 - MainThread - botocore.endpoint - DEBUG - Sending http request: <PreparedRequest [HEAD]>


2016-03-22 01:07:47,111 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - INFO - Starting new HTTPS connection (1): aws-codedeploy-us-west-2.s3.amazonaws.com


2016-03-22 01:07:47,151 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - DEBUG -"HEAD /latest/codedeploy-agent.noarch.rpm HTTP/1.1" 403 0


2016-03-22 01:07:47,151 - MainThread - botocore.parsers - DEBUG - Response headers: {'x-amz-id-2': '0mRvGge9ugu+KKyDmROm4jcTa1hAnA5Ax8vUlkKZXoJ//HVJAKxbpFHvOGaqiECa4sgon2F1kXw=', 'server': 'AmazonS3', 'transfer-encoding': 'chunked', 'x-amz-request-id': '6204CD88E880E5DD', 'date': 'Tue, 22 Mar 2016 01:07:46 GMT', 'content-type': 'application/xml'}


2016-03-22 01:07:47,152 - MainThread - botocore.parsers - DEBUG - Response body:



2016-03-22 01:07:47,152 - MainThread - botocore.hooks - DEBUG - Event needs-retry.s3.HeadObject: calling handler <botocore.retryhandler.RetryHandler object at 0x7f421075bcd0>


2016-03-22 01:07:47,152 - MainThread - botocore.retryhandler - DEBUG - No retry needed.


2016-03-22 01:07:47,152 - MainThread - botocore.hooks - DEBUG - Event after-call.s3.HeadObject: calling handler <function enhance_error_msg at 0x7f4211085758>


2016-03-22 01:07:47,152 - MainThread - botocore.hooks - DEBUG - Event after-call.s3.HeadObject: calling handler <awscli.errorhandler.ErrorHandler object at 0x7f421100cc90>


2016-03-22 01:07:47,152 - MainThread - awscli.errorhandler - DEBUG - HTTP Response Code: 403


2016-03-22 01:07:47,152 - MainThread - awscli.customizations.s3.s3handler - DEBUG - Exception caught during task execution: A client error (403) occurred when calling the HeadObject operation: Forbidden


Traceback (most recent call last):


 File"/usr/local/lib/python2.7/site-packages/awscli/customizations/s3/s3handler.py", line 100, in call


 total_files, total_parts = self._enqueue_tasks(files)


 File"/usr/local/lib/python2.7/site-packages/awscli/customizations/s3/s3handler.py", line 178, in _enqueue_tasks


 for filename in files:


 File"/usr/local/lib/python2.7/site-packages/awscli/customizations/s3/fileinfobuilder.py", line 31, in call


 for file_base in files:


 File"/usr/local/lib/python2.7/site-packages/awscli/customizations/s3/filegenerator.py", line 142, in call


 for src_path, extra_information in file_iterator:


 File"/usr/local/lib/python2.7/site-packages/awscli/customizations/s3/filegenerator.py", line 314, in list_objects


 yield self._list_single_object(s3_path)


 File"/usr/local/lib/python2.7/site-packages/awscli/customizations/s3/filegenerator.py", line 343, in _list_single_object


 response = self._client.head_object(**params)


 File"/usr/local/lib/python2.7/site-packages/botocore/client.py", line 228, in _api_call


 return self._make_api_call(operation_name, kwargs)


 File"/usr/local/lib/python2.7/site-packages/botocore/client.py", line 488, in _make_api_call


 model=operation_model, context=request_context


 File"/usr/local/lib/python2.7/site-packages/botocore/hooks.py", line 226, in emit


 return self._emit(event_name, kwargs)


 File"/usr/local/lib/python2.7/site-packages/botocore/hooks.py", line 209, in _emit


 response = handler(**kwargs)


 File"/usr/local/lib/python2.7/site-packages/awscli/errorhandler.py", line 70, in __call__


 http_status_code=http_response.status_code)


ClientError: A client error (403) occurred when calling the HeadObject operation: Forbidden


2016-03-22 01:07:47,153 - Thread-1 - awscli.customizations.s3.executor - DEBUG - Received print task: PrintTask(message='A client error (403) occurred when calling the HeadObject operation: Forbidden', error=True, total_parts=None, warning=None)


A client error (403) occurred when calling the HeadObject operation: Forbidden



但是,当我使用--no-sign-request选项运行它时,它运行得很完美:


 aws --debug --no-sign-request s3 cp s3://aws-codedeploy-us-west-2/latest/codedeploy-agent.noarch.rpm .



时间:

我收到了错误A client error (403) occurred when calling the HeadObject operation: Forbidden,对于aws cli copy命令aws s3 cp s3://bucket/file file


{


"Version":"2012-10-17",


"Statement": [


 {


"Effect":"Allow",


"Action":"s3:*",


"Resource":"*"


 }


 ]


}



我发现了,我在云形成模板中出现了一个错误,它创建了EC2实例。 因这里,试图访问上述代码部署桶的EC2实例位于不同的区域( 非 us-west-2 ) 中。 buckets ( 由亚马逊拥有)的访问策略只允许访问它们所属区域的访问。 当我修复模板( 这是错误的参数映射) 中的错误时,错误消失了

我遇到了这个问题,将--recursive添加到命令后,解决问题。

尝试显式提供区域,如--region cn-north-1

我自己试图解决这个问题,我发现没有HeadBucket许可,我还发现IAM策略和bucket策略相互冲突,一定要认真检查一下。

在例子中,问题出在用户访问策略中的Resource语句。

第一个"Resource":"arn:aws:s3:::BUCKET_NAME"但是,为了访问bucket中的对象,需要在末尾需要有/*:"Resource":"arn:aws:s3:::BUCKET_NAME/*"

...