配置 ActiveStorage 以使用具有 IAM 角色的 S3
Configuring ActiveStorage to use S3 with IAM role
我正在尝试将 ActiveStorage 配置为使用 S3 存储桶作为存储后端,但是我不想传递任何 access_key_id、secret_access_key、region。相反,我想使用之前定义的 IAM 角色。提到了这样的配置here。它显示(我添加了粗体):
If you want to use environment variables, standard SDK configuration files, profiles, IAM instance profiles or task roles, you can omit the access_key_id, secret_access_key, and region keys in the example above. The Amazon S3 Service supports all of the authentication options described in the AWS SDK documentation.
但是我无法让它工作。我的 storage.yml 看起来与此类似:
amazon:
service: S3
bucket: bucket_name
credentials:
role_arn: "linked::account::arn"
role_session_name: "session-name"
我已经 运行 rails active_storage:install、应用生成的迁移并在我的应用配置中设置 config.active_storage.service = :amazon。
问题是当我尝试保存文件时,出现意外错误:
u = User.first
s = StringIO.new
s << 'hello,world'
s.seek 0
u.csv.attach(io: s, filename: 'filename.csv')
Traceback (most recent call last):
2: from (irb):3
1: from (irb):3:in `rescue in irb_binding'
LoadError (Unable to autoload constant ActiveStorage::Blob::Analyzable, expected /usr/local/bundle/gems/activestorage-5.2.2/app/models/active_storage/blob/analyzable.rb to define it)
我正在使用 Rails 5.2.2.
您是在 AWS EC2 实例中还是在您的机器本地尝试此代码?
如果您检查 AWS 中的身份验证方法:https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/setup-config.html#aws-ruby-sdk-credentials-iam
您将看到以下部分:
Setting Credentials Using IAM
For an Amazon Elastic Compute Cloud instance, create an AWS Identity and Access Management role, and then
give your Amazon EC2 instance access to that role. For more
information, see IAM Roles for Amazon EC2 in the Amazon EC2 User Guide
for Linux Instances or IAM Roles for Amazon EC2 in the Amazon EC2 User
Guide for Windows Instances.
这意味着要使此身份验证方法起作用,您必须:
- 在 AWS 上创建 EC2 实例
- 创建具有写入 S3 存储桶权限的 EC2 IAM 角色
- 配置您的 EC2 实例,将新的 IAM 角色附加到它
将角色附加到实例后,您的 config/storage.yml 文件将如下所示:
amazon:
service: S3
bucket: test-Whosebug-bucket-app
region: "us-west-1"
注意region是必填参数,跳过会报错:https://github.com/aws/aws-sdk-ruby/issues/1240#issuecomment-231866239
恐怕这在本地不起作用,要在本地使用 active_storage,您必须设置 access_key_id、secret_access_key 值。
我正在尝试将 ActiveStorage 配置为使用 S3 存储桶作为存储后端,但是我不想传递任何 access_key_id、secret_access_key、region。相反,我想使用之前定义的 IAM 角色。提到了这样的配置here。它显示(我添加了粗体):
If you want to use environment variables, standard SDK configuration files, profiles, IAM instance profiles or task roles, you can omit the access_key_id, secret_access_key, and region keys in the example above. The Amazon S3 Service supports all of the authentication options described in the AWS SDK documentation.
但是我无法让它工作。我的 storage.yml 看起来与此类似:
amazon:
service: S3
bucket: bucket_name
credentials:
role_arn: "linked::account::arn"
role_session_name: "session-name"
我已经 运行 rails active_storage:install、应用生成的迁移并在我的应用配置中设置 config.active_storage.service = :amazon。
问题是当我尝试保存文件时,出现意外错误:
u = User.first
s = StringIO.new
s << 'hello,world'
s.seek 0
u.csv.attach(io: s, filename: 'filename.csv')
Traceback (most recent call last):
2: from (irb):3
1: from (irb):3:in `rescue in irb_binding'
LoadError (Unable to autoload constant ActiveStorage::Blob::Analyzable, expected /usr/local/bundle/gems/activestorage-5.2.2/app/models/active_storage/blob/analyzable.rb to define it)
我正在使用 Rails 5.2.2.
您是在 AWS EC2 实例中还是在您的机器本地尝试此代码?
如果您检查 AWS 中的身份验证方法:https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/setup-config.html#aws-ruby-sdk-credentials-iam
您将看到以下部分:
Setting Credentials Using IAM
For an Amazon Elastic Compute Cloud instance, create an AWS Identity and Access Management role, and then give your Amazon EC2 instance access to that role. For more information, see IAM Roles for Amazon EC2 in the Amazon EC2 User Guide for Linux Instances or IAM Roles for Amazon EC2 in the Amazon EC2 User Guide for Windows Instances.
这意味着要使此身份验证方法起作用,您必须:
- 在 AWS 上创建 EC2 实例
- 创建具有写入 S3 存储桶权限的 EC2 IAM 角色
- 配置您的 EC2 实例,将新的 IAM 角色附加到它
将角色附加到实例后,您的 config/storage.yml 文件将如下所示:
amazon:
service: S3
bucket: test-Whosebug-bucket-app
region: "us-west-1"
注意region是必填参数,跳过会报错:https://github.com/aws/aws-sdk-ruby/issues/1240#issuecomment-231866239
恐怕这在本地不起作用,要在本地使用 active_storage,您必须设置 access_key_id、secret_access_key 值。