时间戳

首页 > 解决方案 > 为什么我收到以下错误?“放置 S3 策略时出错:MalformedPolicy:策略的操作无效”

amazon-web-services - 为什么我收到以下错误?“放置 S3 策略时出错:MalformedPolicy:策略的操作无效”

问题描述

我正在按照此处的指南允许将日志写入 s3。

“使用以下访问策略使 Kinesis Data Firehose 能够访问您的 S3 存储桶和 AWS KMS 密钥。如果您不拥有 S3 存储桶,请将 s3:PutObjectAcl 添加到 Amazon S3 操作列表中。这将授予存储桶所有者完全访问权限到 Kinesis Data Firehose 交付的对象。"

{
"Version": "2012-10-17",  
"Statement":
[    
    {      
        "Effect": "Allow",      
        "Action": [
            "s3:AbortMultipartUpload",
            "s3:GetBucketLocation",
            "s3:GetObject",
            "s3:ListBucket",
            "s3:ListBucketMultipartUploads",
            "s3:PutObject"
        ],      
        "Resource": [        
            "arn:aws:s3:::bucket-name",
            "arn:aws:s3:::bucket-name/*"            
        ]    
    },        
    {
        "Effect": "Allow",
        "Action": [
            "kinesis:DescribeStream",
            "kinesis:GetShardIterator",
            "kinesis:GetRecords",
            "kinesis:ListShards"
        ],
        "Resource": "arn:aws:kinesis:region:account-id:stream/stream-name"
    },
    {
       "Effect": "Allow",
       "Action": [
           "kms:Decrypt",
           "kms:GenerateDataKey"
       ],
       "Resource": [
           "arn:aws:kms:region:account-id:key/key-id"           
       ],
       "Condition": {
           "StringEquals": {
               "kms:ViaService": "s3.region.amazonaws.com"
           },
           "StringLike": {
               "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::bucket-name/prefix*"
           }
       }
    },
    {
       "Effect": "Allow",
       "Action": [
           "logs:PutLogEvents"
       ],
       "Resource": [
           "arn:aws:logs:region:account-id:log-group:log-group-name:log-stream:log-stream-name"
       ]
    },
    {
       "Effect": "Allow", 
       "Action": [
           "lambda:InvokeFunction", 
           "lambda:GetFunctionConfiguration" 
       ],
       "Resource": [
           "arn:aws:lambda:region:account-id:function:function-name:function-version"
       ]
    }
]

}

具体来说,我看到错误的块如下(我已经包含了主体,因为这是必需的):

    {
        "Effect": "Allow",
        "Principal": {
            "AWS": [
                "${account_id}"
            ]
        },
        "Action": [
            "kinesis:DescribeStream",
            "kinesis:GetShardIterator",
            "kinesis:GetRecords",
            "kinesis:ListShards"
        ],
        "Resource": "arn:aws:kinesis:${region}:${account_id}:stream/*"
    },

但是当我尝试将策略应用于 s3 存储桶时,我得到以下信息:

Error: Error putting S3 policy: MalformedPolicy: Policy has invalid action

│ status code: 400, request id: xxxxxxxxxxxxx, host id: xxxxxxxxxxxxxxxxxxxxxxxxxxxx │</p>

为什么我会收到这个错误?

标签: amazon-web-servicesamazon-kinesisamazon-kinesis-firehose

解决方案

这个块:

{
    "Effect": "Allow",
    "Action": [
        "kinesis:DescribeStream",
        "kinesis:GetShardIterator",
        "kinesis:GetRecords",
        "kinesis:ListShards"
    ],
    "Resource": "arn:aws:kinesis:region:account-id:stream/stream-name"
},

表示要对 Kinesis数据流执行的操作,而不是 Kinesis传输流。这是 AWS 文档中的错误。如果您没有从数据流中提供传输流,则可以删除此块。

推荐阅读