oct*_*opi 6 amazon-web-services terraform terraform-provider-aws
我已按照 StackOverflow 上这篇文章的第一个答案进行操作,但收到此错误:
配置 LB 属性失败:InvalidConfigurationRequest:存储桶:myproject-log 的访问被拒绝。请检查S3bucket权限状态码:400
这是我的代码:
s3_bucket
data "aws_elb_service_account" "main" {}
resource "aws_s3_bucket" "bucket_log" {
bucket = "${var.project}-log"
acl = "log-delivery-write"
policy = <<POLICY
{
"Id": "Policy",
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::${var.project}-log/AWSLogs/*",
"Principal": {
"AWS": [
"${data.aws_elb_service_account.main.arn}"
]
}
}
]
}
POLICY
}
负载均衡器
resource "aws_lb" "vm_stage" {
name = "${var.project}-lb-stg"
internal = false
load_balancer_type = "application"
subnets = [aws_subnet.subnet_1.id, aws_subnet.subnet_2.id, aws_subnet.subnet_3.id]
security_groups = [aws_security_group.elb_project_stg.id]
access_logs {
bucket = aws_s3_bucket.bucket_log.id
prefix = "lb-stg"
enabled = true
}
tags = {
Name = "${var.project}-lb-stg"
}
}
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html
\n请参考上面的文档并更改您的存储桶的 iam 策略以反映文档的说明。日志记录实际上是由 AWS 完成的,而不是您的角色或 IAM 用户。因此,您需要授予 \xc3\x85WS 权限才能执行此操作。这就是文档在策略中显示指定delivery.logs.amazonaws.com主体的语句的原因。该主体就是 AWS 日志服务。即使您的存储桶托管在 AWS 上,默认情况下它们也不会授予自己访问您的存储桶的权限。如果您希望 AWS 的服务正常运行,您必须明确授予对 AWS 的访问权限。
| 归档时间: |
|
| 查看次数: |
3842 次 |
| 最近记录: |