Amazon web services 弹性豆茎罐';t读取密钥管理系统密钥
我正在使用elastic beanstalk运行我的服务器,并在密钥管理系统中存储密钥 我可以在本地访问KMS,并且可以确认KMS内有正确的密钥,并且本地系统运行正常。但是,当我将其上载到elastic beanstalk时,它无法检索密钥,出现以下错误Amazon web services 弹性豆茎罐';t读取密钥管理系统密钥,amazon-web-services,amazon-elastic-beanstalk,Amazon Web Services,Amazon Elastic Beanstalk,我正在使用elastic beanstalk运行我的服务器,并在密钥管理系统中存储密钥 我可以在本地访问KMS,并且可以确认KMS内有正确的密钥,并且本地系统运行正常。但是,当我将其上载到elastic beanstalk时,它无法检索密钥,出现以下错误 Jul 31 18:42:31 ip-10-1-0-199 web: (node:8766) UnhandledPromiseRejectionWarning: Error: Unable to decrypt data key and one
Jul 31 18:42:31 ip-10-1-0-199 web: (node:8766) UnhandledPromiseRejectionWarning: Error: Unable to decrypt data key and one or more KMS CMKs had an error.
Jul 31 18:42:31 ip-10-1-0-199 web: Error #1
Jul 31 18:42:31 ip-10-1-0-199 web: AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
,或者您不允许访问。但我不知道如何检查这一个,甚至授予访问我的弹性豆茎应用程序
有人知道如何通过弹性豆茎应用程序授予KMS访问权限吗?(我假设这就是问题所在)
下面是我的代码当前如何提取信息的,以供参考
// This is an async function that runs only on startup
// There is a potential chance that on first startup a user could call the server
// and the server still have local/dev credentials
// Should think of a solution for this
if(
Environment === Environments.Production ||
Environment === Environments.Release ||
Environment === Environments.Development
){
Config.Aws.BucketName = process.env.bucketName;
Config.Aws.BucketFilePath = process.env.bucketFilePath;
}
let useKms = true;
if(
Environment === Environments.Production ||
Environment === Environments.Release ||
Environment === Environments.Development
){
useKms = true;
}
if(useKms && Config.Aws.BucketName !== "" && Config.Aws.BucketFilePath !== ""){
try{
var getParams = {
Bucket: Config.Aws.BucketName,
Key: Config.Aws.BucketFilePath,
}
console.log("getParams",getParams);
s3.getObject(getParams, async function(err, data) {
// Handle any error and exit
// Need to properly handle this error
if (err){
console.log("err",err);
return false;
}
// No error happened
// Convert Body from a Buffer to a String
let objectData = data.Body.toString('utf-8'); // Use the encoding necessary
// Eval is safe to use here since we know what is saved in S3
let BucketKeys = eval(objectData);
let keyIds = BucketKeys.AwsKeyIds;
const keyring = new KmsKeyringNode({ keyIds });
let result = Buffer.from(JSON.parse(BucketKeys.BufferString).data);
const { plaintext } = await decrypt(keyring,result);
let foo = plaintext.toString('utf8');
let KmsObject = JSON.parse(foo);
Config.Db.Hostname = KmsObject.DatabaseHost;
Config.Db.Username = KmsObject.DatabaseUsername;
Config.Db.Password = KmsObject.DatabasePassword;
Config.Db.Name = KmsObject.DatabaseName;
Config.Db.Port = KmsObject.DatabasePort;
Config.Keys.ApiKey = KmsObject.ApiKey;
Config.Keys.ClientId = KmsObject.ClientId;
Config.Keys.FetchTokenUsername = KmsObject.FetchTokenUsername;
Config.Keys.FetchTokenPassword = KmsObject.FetchTokenPassword;
Config.Keys.GoogleClientId = KmsObject.GoogleClientId;
Config.Keys.GoogleClientSecret = KmsObject.GoogleClientSecret;
Config.Keys.FacebookAppId = KmsObject.FacebookAppId;
Config.Keys.FacebookAppSecret = KmsObject.FacebookAppSecret;
Config.Keys.PaypalApiUrl = "https://api.paypal.com";
Config.Keys.PaypalClientId = KmsObject.PaypalClientId;
Config.Keys.PaypalSecret = KmsObject.PaypalSecret;
Config.Keys.StripePublicKey = KmsObject.StripePublicKey;
Config.Keys.StripeSecretKey = KmsObject.StripeSecretKey;
Config.Email.Host = KmsObject.EmailHost;
Config.Email.Port = KmsObject.EmailPort;
Config.Email.Secure = false;
Config.Email.User = KmsObject.EmailUser;
Config.Email.Pass = KmsObject.EmailPass;
Config.Email.From = "Server";
});
}catch(e){
console.log("tried KMS. but errored out");
}
}
但我不知道如何检查这一个,甚至授予访问我的弹性豆茎应用程序
要使您的EB实例能够使用KMS,您必须明确允许
这是通过。具体而言,您可以将您的EB实例角色添加为关键用户。要检查CMK访问,还需要检查密钥策略
在KMS控制台中,要向EB实例添加使用密钥的权限,可以将实例角色的ARN(或名称)添加到密钥策略中:
这是作为.ebextension的一部分执行,还是在部署后运行,还是作为应用程序启动的一部分运行?请确保实例所具有的角色以及EB所具有的角色(如果在部署期间运行此角色)向KMS授予权限。@hephalump不确定如何在EB和KMS之间授予访问权限。你知道怎么做吗?