在云表单中使用时，无法从S3下载引导程序文件

Question

我们正在尝试部署一个具有LaunchConfig、AutoScaling组和IAM角色的EC2堆栈。在启动配置中，我们配置为在"AWS::CloudFormation::Init“的帮助下执行bash脚本。当EC2机器在中启动时，无法从S3获取引导程序文件。下面是错误日志。cfn-init.log

{
2020-02-21 17:48:48,663 https://forums.aws.amazon.com/ HTTP Error 404 : <?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>404 - Not Found</title>
</head>
<body>
<h1>404 - Not Found</h1>
</body>
</html>
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/cfnbootstrap/util.py", line 162, in _retry
return f(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/cfnbootstrap/util.py", line 286, in get_role_creds
resp.raise_for_status()
File "/usr/lib/python2.7/dist-packages/cfnbootstrap/packages/requests/models.py", line 834, in raise_for_status
raise HTTPError(http_error_msg, response=self)
HTTPError: 404 Client Error: Not Found
}

cloud-init-output.log

{
Error occurred during build: Failed to retrieve https://BUCKET_NAME.s3.amazonaws.com/BUCKET_PREFIX/scripts/bastion_bootstrap.sh: https://forums.aws.amazon.com/ HTTP Error 404 : <?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>404 - Not Found</title>
</head>
<body>
<h1>404 - Not Found</h1>
</body>
</html>
}

下面是我们拥有的CF模板：

  BastionLaunchConfiguration:
    Type: 'AWS::AutoScaling::LaunchConfiguration'
    Metadata:
      'AWS::CloudFormation::Authentication':
        S3AccessCreds:
          type: S3
          roleName: !Ref BastionHostProfile
          buckets:
            - !Ref QSS3BucketName
      'AWS::CloudFormation::Init':
        config:
          files:
            /tmp/bastion_bootstrap.sh:
              source: !Sub 'https://${QSS3BucketName}.s3.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/bastion_bootstrap.sh'
              mode: '000550'
              owner: root
              group: root
              authentication: S3AccessCreds
          commands:
            b-bootstrap:
              cwd: '/tmp/'
              command: !Join
                - ''
                - - ./bastion_bootstrap.sh
                  - ' --banner '
                  - !Ref BastionBanner
                  - ' --enable '
                  - !Ref EnableBanner
                  - ' --tcp-forwarding '
                  - !Ref EnableTCPForwarding
                  - ' --x11-forwarding '
                  - !Ref EnableX11Forwarding
    Properties:
      AssociatePublicIpAddress: true
      PlacementTenancy: !Ref BastionTenancy
      KeyName: !Ref KeyPairName
      IamInstanceProfile: !Ref BastionHostProfile
      ImageId: !If
        - UseOSImageOverride
        - !Ref OSImageOverride
        - !FindInMap
          - AWSAMIRegionMap
          - !Ref 'AWS::Region'
          - !FindInMap
            - LinuxAMINameMap
            - !Ref BastionAMIOS
            - Code
      SecurityGroups:
        - !Ref BastionSecurityGroup
      InstanceType: !Ref BastionInstanceType
      BlockDeviceMappings:
        - DeviceName: /dev/xvda
          Ebs:
            VolumeSize: !Ref RootVolumeSize
            VolumeType: gp2
            Encrypted: true
            DeleteOnTermination: true

下面是我们分配用来启动配置的IAM角色资源：

  BastionHostRole:
    Condition: CreateIAMRole
    Type: 'AWS::IAM::Role'
    Properties:
      Path: / 
      AssumeRolePolicyDocument:
        Statement:
          - Action:
              - 'sts:AssumeRole'
            Principal:
              Service:
                - ec2.amazonaws.com
            Effect: Allow
        Version: 2012-10-17
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM'
  BastionHostPolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: BastionPolicy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action:
              - 's3:*'
            Resource: !Sub
              - 'arn:${Partition}:s3:::${QSS3BucketName}/${QSS3KeyPrefix}*'
              - Partition: !If
                  - GovCloudCondition
                  - aws-us-gov
                  - aws
            Effect: Allow
          - Action:
              - 'logs:CreateLogStream'
              - 'logs:GetLogEvents'
              - 'logs:PutLogEvents'
              - 'logs:DescribeLogGroups'
              - 'logs:DescribeLogStreams'
              - 'logs:PutRetentionPolicy'
              - 'logs:PutMetricFilter'
              - 'logs:CreateLogGroup'
            Resource: !Sub
              - arn:${Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${BastionMainLogGroup}:*
              - Partition: !If
                  - GovCloudCondition
                  - aws-us-gov
                  - aws
            Effect: Allow
          - Action:
              - 'ec2:AssociateAddress'
              - 'ec2:DescribeAddresses'
            Resource: '*'
            Effect: Allow
      Roles:
        - !If
          - CreateIAMRole
          - !Ref BastionHostRole
          - !Ref AlternativeIAMRole
  BastionHostProfile:
    DependsOn: BastionHostPolicy
    Type: 'AWS::IAM::InstanceProfile'
    Properties:
      Roles:
        - !If
          - CreateIAMRole
          - !Ref BastionHostRole
          - !Ref AlternativeIAMRole
      Path: / 

有什么建议，我们如何解决这个问题？

Answer 1

乍一看，这里似乎有一个打字错误。

'https://${QSS3BucketName}.s3.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/bastion_bootstrap.sh'

通常的格式是<BucketName>.s3-<Region>，其中在s3和region之间有一个句点。