amazon-s3 - S3 Replication - s3:PutReplicationConfiguration
问题描述
I have been attempting to introduce S3 bucket replication into my existing project's stack. I kept getting an 'API: s3:PutBucketReplication Access Denied' error in CloudFormation when updating my stack through my CodeBuild/CodePipeline project after adding the Replication rule on the source bucket + S3 replication role. For testing, I've added full S3 permission ( s3:* ) to the CodeBuild Role for all resources ( "*" ), as well as full S3 permissions on the S3 replication role -- again I got the same result.
Additionally, I tried running a stand-alone, stripped down version of the CF template (so not updating my existing application infrastructure stack) - which creates the buckets (source + target) and the S3 replication role. It was deployed/run through CloudFormation while logged in with my Admin role via the console and again I got the same error as when attempting the deployment with my CodeBuild role in CodePipeline.
As a last ditch sanity check, again being logged in using my admin role for the account, I attempted to perform the replication setup manually on buckets that I created using the S3 console and I got the below error:
You don't have permission to update the replication configuration You or your AWS admin must update your IAM permissions to allow s3:PutReplicationConfiguration, and then try again. Learn more about Identity and access management in Amazon S3 API response Access Denied
I confirmed that my role has full S3 access across all resources. This message seems to suggest to me that the permission s3:PutReplicationConfiguration may be different then other S3 permissions somehow - needing to be configured with root access to the account or something?
Also, it seems strange to me that CloudFormation indicates the s3:PutBucketReplication permission, where as the S3 console error references the permission s3:PutReplicationConfiguration. There doesn't seem to be an IAM action for s3:PutBucketReplication (ref: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html) only s3:PutReplicationConfiguration.
解决方案
Have you checked Permission Boundary? Is this in a corporate control tower or stand alone account?
Deny always wins so if you have a Permission Boundary that excludes some actions even when you have explicitly allowed it you may run into issues like this.
推荐阅读
- java - 在 KIE 执行服务器中使用 drools 全局变量与外部服务交互
- android - 了解 LiveData 和 DataBinding
- spring-boot - 如何在具有多个 ack 的同一主题上使用多个 kafka 消息?
- flask - 在 Flask 应用程序中访问 mongoengine 实例的属性
- python - 使用python或在linux中创建excel文件(.xlsx)时如何设置用户定义的权限
- c# - 如何在asp.net web api中发布数据列表
- php - 如何仅在 WooCommerce 中显示活动选项卡名称
- javascript - 在 chrome 扩展上全局存储文本,并在加载时重用它
- azure - 如何启用具有多个意图和 Qnamaker KB 的主动学习?
- swift - 什么是 Swift 中的桥接转换,如以下警告所示: 'Data?' Conditional downcast to 'CKRecordValue 是一种桥接转换