我正在通过 Mesos 将我的微服务部署到 EC2 实例中。问题是我正在与其他团队的微服务共享我的 EC2 实例。所有这些微服务都处理不同的 S3 存储桶,我们不希望其他人访问我们的存储桶。我需要为我的容器分配 IAM 角色,这样只有我才能通过部署在 EC2 实例中的微服务访问我的 S3 存储桶。 我们没有使用 ECS,而是使用 Mesos 进行部署。任何输入或评论表示赞赏。提前致谢。
最佳答案
AWS 对此不提供原生支持。在此期间,您可以使用 Lyft 的 metadataproxy (另请参见 blog post)。
引用博客:
We had an idea to build a web service that proxies calls to the metadata service on http://169.254.169.254 and pass through most of the calls to the real metadata service, but capture calls to the IAM endpoints. By capturing the IAM endpoints we can decide which IAM credentials we’ll hand back.
...
To know which IAM roles should be assumed, the metadataproxy has access to the docker socket. When it gets a request, it looks up the container, based on its request IP, finds that container’s environment variables and uses the value of the IAM_ROLE environment variable as the role to assume. It then uses STS to assume the role, caches the credentials in memory (for further requests) and returns them back to the caller. If the credentials cached in memory are set to expire, the proxy will re-assume the credentials.
关于amazon-ec2 - 如何在 Mesos 中为容器级访问设置 IAM 角色,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/35653511/