amazon-web-services - terraform/aws lambda 函数访问在 s3 上被拒绝
问题描述
使用 terraform 测试 AWS 实例调度程序。代码在这里
看起来我的代码充满了这个错误:
错误:等待创建 CloudFormation 堆栈时出错:未能创建 CloudFormation 堆栈,请求回滚(ROLLBACK_COMPLETE):[“未能创建以下资源:[主要]。用户请求回滚。” “您的访问已被 S3 拒绝,请确保您的请求凭据对解决方案-us-gov-west-1/aws-instance-scheduler/v1.3.1/instance-scheduler.zip 的 GetObject 具有权限。S3 错误代码: AccessDenied.S3 错误消息:访问被拒绝(服务:AWSLambdaInternal;状态代码:403;错误代码:AccessDeniedException;请求 ID:731b7c0d-cda9-4f9e-b821-efed4cbced46;代理:null)"]
以下是部分代码:IAM policy
"InstanceSchedulerEncryptionKeyAlias": {
"Type": "AWS::KMS::Alias",
"Properties": {
"AliasName": "alias/instance-scheduler-encryption-key",
"TargetKeyId": {
"Ref": "InstanceSchedulerEncryptionKey"
}
}
},
"SchedulerPolicy": {
"Type": "AWS::IAM::Policy",
"Metadata": {
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W12",
"reason": "All policies have been scoped to be as restrictive as possible. This solution needs to access ec2/rds resources across all regions."
}
]
}
},
"Properties": {
"PolicyName": "SchedulerPolicy",
"Roles": [
{
"Ref": "SchedulerRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:PutRetentionPolicy",
"logs:*"
],
"Resource": [
{
"Fn::Join": [
":",
[
"arn:aws-us-gov:logs:*:*:*",
{
"Ref": "AWS::Region"
},
{
"Ref": "AWS::AccountId"
},
"log-group",
{
"Ref": "SchedulerLogGroup"
},
"*"
]
]
},
{
"Fn::Join": [
":",
[
"arn:aws-us-gov:logs:*:*:*",
{
"Ref": "AWS::Region"
},
{
"Ref": "AWS::AccountId"
},
"log-group:/aws/lambda/*"
]
]
}
]
},
{ "Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws-us-gov:s3:::*"
]
},
IAM 角色
"SchedulerRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Path": "/"
}
},
我确信它对我在代码中的格式感到困惑,或者我在 s3 的角色或政策中遗漏了一些东西。在这里查找类似的问题,并将感谢任何关于我的代码的指针。我知道我很接近。
解决方案
您在 SchedulerPolicy 中的加入有问题。您需要删除尾随*:*:*
.
"Fn::Join": [
":",
[
"arn:aws-us-gov:logs:*:*:*",
{
"Ref": "AWS::Region"
},
{
"Ref": "AWS::AccountId"
},
"log-group:/aws/lambda/*"
]
]
通过上面的连接,您最终会得到一个字符串arn:aws-us-gov:logs:*:*:*:us-east-1:0987654321:log-group:/aws/lambda/*
而不是预期的arn:aws-us-gov:logs:us-east-1:0987654321:log-group:/aws/lambda/*
推荐阅读
- r - 如何为列表中的多个数据框图添加标题?
- unit-testing - Jenkins 测试结果行为
- node.js - 如何为 MongoDB 集合中的文档选择单个字段?
- docker - 更改 Docker Swarm 管理器的 Linux 主机名会导致它失去其 Swarm 管理器状态吗?
- python - 我的标志值没有按预期返回 false 或 true
- c# - 如何从文本框中连续修剪不需要的字母?
- nfc - 如何获取使用 NFC 通行证的商家?
- django - 保存一次数据(以便能够将图像加载到服务器),然后在一些更改后更新同一个实例
- database - 启动新主题后,站点总是在前台弹出登录表单
- sql - 计算效率 - I/O