amazon-web-services - 存储桶记录表单 Applicationloadbalancer 的访问被拒绝:请检查 S3bucket 权限
问题描述
Access Denied for bucket: appdeploy-logbucket-1cca50r865s65.
Please check S3bucket permission (Service: AmazonElasticLoadBalancingV2; Status Code: 400; Error Code:
InvalidConfigurationRequest; Request ID: e5e2245f-2f9b-11e9-a3e9-2dcad78a31ec)
我想将我的 ALB 日志存储到 s3 存储桶,我已经向 s3 存储桶添加了策略,但它说访问被拒绝,我尝试了很多,并且使用了这么多配置,但它一次又一次地失败,我的堆栈回滚,我曾经Troposphere
创建模板。
我已经尝试使用我的策略,但它不是工作。
BucketPolicy = t.add_resource(
s3.BucketPolicy(
"BucketPolicy",
Bucket=Ref(LogBucket),
PolicyDocument={
"Id": "Policy1550067507528",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1550067500750",
"Action": [
"s3:PutObject",
"s3:PutBucketAcl",
"s3:PutBucketLogging",
"s3:PutBucketPolicy"
],
"Effect": "Allow",
"Resource": Join("", [
"arn:aws:s3:::",
Ref(LogBucket),
"/AWSLogs/",
Ref("AWS::AccountId"),
"/*"]),
"Principal": {"AWS": "027434742980"},
}
],
},
))
有什么帮助吗?
解决方案
对流层/堆栈器维护者在这里。我们有一个堆栈器蓝图(它是对流层模板的包装器),我们在工作中用于我们的日志存储桶:
from troposphere import Sub
from troposphere import s3
from stacker.blueprints.base import Blueprint
from awacs.aws import (
Statement, Allow, Policy, AWSPrincipal
)
from awacs.s3 import PutObject
class LoggingBucket(Blueprint):
VARIABLES = {
"ExpirationInDays": {
"type": int,
"description": "Number of days to keep logs around for",
},
# See the table here for account ids.
# https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html#attach-bucket-policy
"AWSAccountId": {
"type": str,
"description": "The AWS account ID to allow access to putting "
"logs in this bucket.",
"default": "797873946194" # us-west-2
},
}
def create_template(self):
t = self.template
variables = self.get_variables()
bucket = t.add_resource(
s3.Bucket(
"Bucket",
LifecycleConfiguration=s3.LifecycleConfiguration(
Rules=[
s3.LifecycleRule(
Status="Enabled",
ExpirationInDays=variables["ExpirationInDays"]
)
]
)
)
)
# Give ELB access to PutObject in the bucket.
t.add_resource(
s3.BucketPolicy(
"BucketPolicy",
Bucket=bucket.Ref(),
PolicyDocument=Policy(
Statement=[
Statement(
Effect=Allow,
Action=[PutObject],
Principal=AWSPrincipal(variables["AWSAccountId"]),
Resource=[Sub("arn:aws:s3:::${Bucket}/*")]
)
]
)
)
)
self.add_output("BucketId", bucket.Ref())
self.add_output("BucketArn", bucket.GetAtt("Arn"))
希望这会有所帮助!
推荐阅读
- python - N 以下所有包含数字 7 的数字的总和
- sql - 查找员工是否是经理
- c - C、错误:表达式必须是可修改的左值错误
- reactjs - “object Object”在 ReactJS 上使用 Formik 表单显示为输入值
- swagger - 如何在 Swagger UI 中进行身份验证后设置 Bearer 令牌
- python - Python,pandas 从 csv 打印最频繁的 1-1000
- system-verilog - 用 let 构造替换 `define
- c - 访问堆栈内存需要多长时间?
- python-3.x - 迭代熊猫数据框中的列列表
- typescript - 通过打字稿在电子中共享数据