amazon-web-services - 放置 S3 策略时出错:MalformedPolicy:策略语法无效
问题描述
我正在尝试在 Terraform 中设置 S3 存储桶策略。我在一个模块中编写了以下代码core/main.tf
:
resource "aws_s3_bucket_policy" "access_to_bucket" {
bucket = aws_s3_bucket.some_bucket.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["s3:GetObject", "s3:GetObjectAcl", "s3:ListBucket"]
Effect = "Allow"
Principal = "${var.some_variable_name}"
Resource = [
"${aws_s3_bucket.some_bucket.arn}",
"${aws_s3_bucket.some_bucket.arn}/*"
]
},
]
})
}
然后在本地模块中实例化,该模块使用 localstack 在本地运行。
这是生成的计划:
Terraform will perform the following actions:
# module.local.aws_s3_bucket_policy.access_to_bucket will be created
+ resource "aws_s3_bucket_policy" "access_to_bucket" {
+ bucket = "some_bucket"
+ id = (known after apply)
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = [
+ "s3:GetObject",
+ "s3:GetObjectAcl",
+ "s3:ListBucket",
]
+ Effect = "Allow"
+ Principal = "arn:aws:iam::000000000000:role/test_role"
+ Resource = [
+ "arn:aws:s3:::some-bucket/*",
+ "arn:aws:s3:::some-bucket",
]
},
]
+ Version = "2012-10-17"
}
)
}
╷
│ Error: Error putting S3 policy: MalformedPolicy: Invalid policy syntax.
│ status code: 400, request id, host id
│
│ with module.local.aws_s3_bucket_policy.access_to_bucket,
│ on ../core/main.tf line 55, in resource "aws_s3_bucket_policy" "access_to_bucket":
│ 55: resource "aws_s3_bucket_policy" "access_to_bucket" {
│
在本地和 AWS 中运行它最终会出现此错误。我猜这是某处的语法错误,但 AFAIK 这是正确的。任何线索有什么问题?
解决方案
你Principal
的无效。如果您查看Principal 元素上的 IAM 用户指南(S3 存储桶策略共享相同的语法,但仅限于对存储桶的操作并组合形成最低权限访问控制),您应该会看到如下示例:
"Principal" : {
"AWS": [
"arn:aws:iam::123456789012:root",
"arn:aws:iam::555555555555:root"
]
}
这允许 IAM 操作仅针对具有 ID123456789012
和的两个 AWS 账户中的用户或角色发生555555555555
。
在您的情况下,您希望允许IAM 角色,因此您的策略应如下所示:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::000000000000:role/test_role"},
"Action": ["s3:GetObject", "s3:GetObjectAcl", "s3:ListBucket"],
"Resource": ["arn:aws:s3:::some-bucket/*", "arn:aws:s3:::some-bucket"]
}
]
}
Terraform 允许您自己为您的 IAM 策略编写 JSON,这可以更容易与 Internet 上的示例进行比较,或者您可以使用aws_iam_policy_document
数据源,因为 Terraform 可以更好地理解您提供的结构,从而为您提供更多计划时间验证它。
与上述等效但作为aws_iam_policy_document
数据源的政策文件如下所示:
data "aws_iam_policy_document" "bucket_policy" {
statement {
principals {
type = "AWS"
identifiers = ["arn:aws:iam::000000000000:role/test_role"]
}
actions = [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket",
]
resources = [
"arn:aws:s3:::some-bucket",
"arn:aws:s3:::some-bucket/*",
]
}
}
resource "aws_s3_bucket_policy" "access_to_bucket" {
bucket = aws_s3_bucket.some_bucket.id
policy = data.aws_iam_policy_document.bucket_policy.json
}
推荐阅读
- azure - AMLS 计算:VM 上的笔记本电脑
- laravel - Laravel Socialite Providers GOOGLE ERROR Legacy People API 尚未在项目中使用
- python - Jira Python 自定义字段
- regex - 删除 Wordpress URL 上的问号
- php - 如何使用 PHP 解析 Google Fit Json 字符串
- c# - 缺少小数分隔符
- android - GetCurrent 用户仅从 Firebase Google 应用返回登录用户
- google-cloud-platform - Google Cloud 的本地数据传输服务
- php - 我可以在 PHP 中使用 random_bytes(3) 生成多少个随机字符串?
- python - 使用python从网站的多个页面中抓取数据