遵循aws文档:https://docs.aws.amazon.com/blockchain-templates/latest/developerguide/blockchain-templates-hyperledger.html使用文档中的IAM策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"s3:Get*",
"s3:List*"
],
"Resource": "*"
}
]
}
但是无法启动堆栈。然后,我添加了以下所有权限:
AmazonEC2FullAccess
AmazonEC2ContainerRegistryFullAccess
AmazonS3FullAccess
AmazonEC2ContainerRegistryReadOnly
AmazonS3ReadOnlyAccess
AmazonEC2ContainerServiceFullAccess
AdministratorAccess
但仍然没有运气,并收到此错误:
以下资源创建失败:[EC2InstanceForDev]。
我应该添加什么IAM策略来解决此错误?
谢谢!
用于Hyperledger Fabric的官方AWS区块链云形成模板是一个嵌套模板(我们的基本模板调用另一个模板,该模板在其自身创建的EC2实例上进行所有设置)。
但是问题是,除了安装docker-compose之外,它还在EC2-Instance上执行所有操作,并且抛出了一个错误,即最后没有找到docker-compose命令,这导致CloudFormation模板损坏(EC2InstanceForDev)并进行回滚。因此,除了使用CloudFormation模板之外,我们还可以在EC2实例上手动运行相同的脚本,而只需进行少量更改即可。更改是预先安装docker-compose。其余设置保持不变,即-1。创建一个VPC,2.创建公共子网,3.如果您想稍后附加它,则创建EIP,4.创建SSH的密钥对,5.创建IAM角色和策略,6.创建具有入站8080(TCP)的安全组。 &22(SSH),7.在步骤(1to6)中使用创建的资源启动EC2实例。
AMI首选-->>
Docker镜像存储库-
要在EC2上运行的脚本
#!/bin/bash -x sudo curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose docker-compose --version yum install -y aws-cfn-bootstrap res=$? echo $res mkdir /tmp/fabric-install/ cd /tmp/fabric-install/ wget https://aws-blockchain-templates-us-east-1.s3.us-east-1.amazonaws.com/hyperledger/fabric/templates/simplenetwork/latest/HyperLedger-BasicNetwork.tgz -O /home/ec2-user/HyperLedger-BasicNetwork.tgz cd /home/ec2-user tar xzvf HyperLedger-BasicNetwork.tgz rm /home/ec2-user/HyperLedger-BasicNetwork.tgz chown -R ec2-user:ec2-user HyperLedger-BasicNetwork chmod +x /home/ec2-user/HyperLedger-BasicNetwork/artifacts/first-run-standalone.sh /home/ec2-user/HyperLedger-BasicNetwork/artifacts/first-run-standalone.sh us-east-1 example.com org1 org2 org3 mychannel 354658284331.dkr.ecr.us-east-1.amazonaws.com/ 354658284331 res=$? echo $res # Signal init result /opt/aws/bin/cfn-signal -e $res --stack blockchainbook-FabricEC2CommonStack-1OXLFN66D7U1J --resource EC2InstanceForDev --region us-east-1
我担任职务的IAM政策-
-请在上面的脚本中替换您所在区域和相应AWS区域的相应AWS ECR帐号,并且脚本具有example.com org1 org2 org3 mychannel(请根据要求也进行更改)。它与我们在CF模板中输入的RootDomain,Org1SubDomain,Org2SubDomain,Org3SubDomain,ChannelName相同)。{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:DescribeImages", "ecr:BatchGetImage" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": "*" } ] }
NOTE
整个过程在us-east-1地区进行了测试。该脚本可以直接部署在us-east-1区域。访问超级分类帐的Web控制台(http://EC2-DNS OR EIP:8080
)