問題
當您嚐試訪問AWS資源(如S3、SQS或Redshift)時,操作失敗,並報錯:
com.amazonaws.SdkClientException:無法從鏈中的任何提供商加載AWS憑據:[BasicAWSCredentialsProvider: Access key or secret key is null, com.amazonaws.auth。InstanceProfileCredentialsProvider@a590007a: The requested metadata is not found at https:///latest/meta-data/iam/security-credentials/]
導致
- 場景1:要訪問S3、SQS或Redshift等AWS資源,必須通過IAM角色或AWS憑證提供訪問權限。如果沒有提供這些憑據,則會發生上述錯誤。
- 場景2:啟動集群時提供了IAM角色,由於配置錯誤,沒有正確掛載IAM角色。要調試此問題,請在連接到集群的筆記本上運行以下Bash命令:
curl https:// < ip地址> /最近/元數據/我/安全憑證/ < role_name >
你應該得到這樣的結果:"Code": " gauseroleunauthorizedaccess ","Message": "EC2 cannot assume the role
. "請參見https://docs.amazonwebservices.com/IAM/latest/UserGuide/RolesTroubleshooting.html.”,“LastUpdated”:“2019-05-03T15:36:26Z”
解決方案
為集群添加正確的IAM角色。IAM角色的信任關係應該有如下策略:
{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": {"Service": "ec2.amazonaws.com"}, "Action": "sts: assumption "}]}