amazon-web-services - Cloudformation S3 bucket principal for Cloudfront
问题描述
I'm trying to create a Yaml template for cloudfront distribution on S3 bucket.
I'm stuck on how to add principal
on BucketPolicy
.
I want to know how to replace the XXXXXXXXXXX
on CloudFront Origin Access Identity XXXXXXXXXXX in principal for a cloudfront that will be generate by deploying the template.
Also is there a way to add the html, css sync procedure (which I'm doing through aws cli now) on yaml template?
Please let me know. TIA
AWSTemplateFormatVersion: 2010-09-09
Resources:
Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: pridesys.webbucket
AccessControl: Private
WebsiteConfiguration:
IndexDocument: index.html
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref Bucket
PolicyDocument:
Id: ReportPolicy
Version: "2012-10-17"
Statement:
- Sid: "1"
Effect: Allow
Action: "s3:GetObject"
Principal:
AWS: "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
Resource: !Join ['', ['arn:aws:s3:::', !Ref Bucket, '/*']]
Distro:
Type: 'AWS::CloudFront::Distribution'
Properties:
DistributionConfig:
Origins:
- DomainName: !GetAtt Bucket.DomainName
Id: foo
S3OriginConfig: {}
Enabled: True
DefaultRootObject: index.html
DefaultCacheBehavior:
ForwardedValues:
QueryString: False
TargetOriginId: foo
ViewerProtocolPolicy: allow-all
解决方案
以下是 CloudFront 的 S3 源身份配置的有效示例:
WebUIBucket:
Type: AWS::S3::Bucket
CloudFrontOriginIdentity:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: "origin identity"
WebUIPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: WebUIBucket
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
CanonicalUser:
Fn::GetAtt: [ CloudFrontOriginIdentity , S3CanonicalUserId ]
Action: "s3:GetObject"
Resource: !Sub "${WebUIBucket.Arn}/*"
WebpageCDN:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Origins:
- DomainName: !Sub "${WebUIBucket}.s3.amazonaws.com"
Id: webpage
S3OriginConfig:
OriginAccessIdentity: !Sub "origin-access-identity/cloudfront/${CloudFrontOriginIdentity}"
至于将您的资产同步到 S3 存储桶中,CloudFormation 功能无法提供。您要么必须实现 CustomResource,要么继续使用 CLI。
推荐阅读
- automation - EarlGrey 可以用作只有 ipa 文件的测试工具吗?
- reactjs - Reactjs:无法使用“npm start”启动开发服务器
- r - 使用 Quanteda 清理语料库
- electron - 我的 spectron app.client 不包含所有方法
- javascript - 尝试运行 Node.js 应用程序时如何修复“语法错误:无效或意外令牌”
- r - 将 case_when 和 between 与对应阈值表一起使用
- html - 弹性项目中的锚标记尊重所有填充,没有 display:inline-block 属性的边距。这是为什么?
- python - 将结果从并行计算移动到 Python 中的最终数组
- wordpress - pubDate 未与 Wordpress 网站的时区同步
- angular - TinyMCE 角度代码和链接覆盖在角度反应形式中不起作用