角色无权在 KinesisStream 上执行 DescribeStream

Question

我对 S3 和 Kinesis 流各有 2 个策略，其中包括 DescribeStream。S3 策略运行良好，但 KinesisPolicy 出现此错误。

资源：

• S3
• 运动流
• 消防水带

角色：

• 消防水管角色

政策：

• 具有以下权限的 S3 策略：

        - 's3:AbortMultipartUpload'
        - 's3:GetBucketLocation'
        - 's3:GetObject'
        - 's3:ListBucket'
        - 's3:ListBucketMultipartUploads'
        - 's3:PutObject'
  

• 具有以下权限的 Kinesis 策略：

        - 'kinesis:PutRecord'
        - 'kinesis:DescribeStreamSummary'
        - 'kinesis:PutRecords'
        - 'kinesis:GetShardIterator'
        - 'kinesis:GetRecords'
        - 'kinesis:DescribeStream'
  

错误：

角色 (firehoseRole) 无权在 MyKinesisStream 上执行 DescribeStream。

云形成模板

---

Resources:
  S3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      VersioningConfiguration:
        Status: Enabled

 firehoseRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: ''
            Effect: Allow
            Principal:
              Service: firehose.amazonaws.com
            Action: 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref 'AWS::AccountId'

  DeliveryPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: firehose_delivery_policy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - 's3:AbortMultipartUpload'
              - 's3:GetBucketLocation'
              - 's3:GetObject'
              - 's3:ListBucket'
              - 's3:ListBucketMultipartUploads'
              - 's3:PutObject'
            Resource:
              - !Sub 'arn:aws:s3:::${S3Bucket}'
              - !Sub 'arn:aws:s3:::${S3Bucket}*'
      Roles:
        - !Ref firehoseRole

  KinesisPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: kinesis_policy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action: 
              - 'kinesis:PutRecord'
              - 'kinesis:DescribeStreamSummary'
              - 'kinesis:PutRecords'
              - 'kinesis:GetShardIterator'
              - 'kinesis:GetRecords'
              - 'kinesis:DescribeStream'
            Resource:
              - !GetAtt MyKinesisStream.Arn
      Roles:
        - !Ref firehoseRole

  MyKinesisStream:
    Type: AWS::Kinesis::Stream
    Properties: 
      ShardCount: 1

  DeliveryStream:
    Type: AWS::KinesisFirehose::DeliveryStream
    Properties:
      DeliveryStreamType: KinesisStreamAsSource
      KinesisStreamSourceConfiguration:
        KinesisStreamARN: !GetAtt MyKinesisStream.Arn
        RoleARN: !GetAtt firehoseRole.Arn
      S3DestinationConfiguration:
        BucketARN: !GetAtt S3Bucket.Arn
        BufferingHints:
          IntervalInSeconds: 60
          SizeInMBs: 50
        CompressionFormat: UNCOMPRESSED
        Prefix: firehose/
        RoleARN: !GetAtt firehoseRole.Arn

Answer 1

我能够解决错误。我必须将 DependsOn 添加到 DeliveryStream 并包含这两个策略。