Mar*_*arc 1 amazon-s3 amazon-web-services terraform terraform-provider-aws
我正在尝试在 Terraform 中设置 S3 存储桶策略。我在模块中编写了以下代码core/main.tf:
resource "aws_s3_bucket_policy" "access_to_bucket" {\n\n bucket = aws_s3_bucket.some_bucket.id\n\n policy = jsonencode({\n Version = "2012-10-17"\n Statement = [\n {\n Action = ["s3:GetObject", "s3:GetObjectAcl", "s3:ListBucket"]\n Effect = "Allow"\n Principal = "${var.some_variable_name}"\n Resource = [\n "${aws_s3_bucket.some_bucket.arn}",\n "${aws_s3_bucket.some_bucket.arn}/*"\n ]\n },\n ]\n })\n}\n\n然后在本地模块中实例化,该模块使用 localstack 在本地运行。
\n这是生成的计划:
\nTerraform will perform the following actions:\n\n # module.local.aws_s3_bucket_policy.access_to_bucket will be created\n + resource "aws_s3_bucket_policy" "access_to_bucket" {\n + bucket = "some_bucket"\n + id = (known after apply)\n + policy = jsonencode(\n {\n + Statement = [\n + {\n + Action = [\n + "s3:GetObject",\n + "s3:GetObjectAcl",\n + "s3:ListBucket",\n ]\n + Effect = "Allow"\n + Principal = "arn:aws:iam::000000000000:role/test_role"\n + Resource = [\n + "arn:aws:s3:::some-bucket/*",\n + "arn:aws:s3:::some-bucket",\n ]\n },\n ]\n + Version = "2012-10-17"\n }\n )\n }\n\xe2\x95\xb7\n\xe2\x94\x82 Error: Error putting S3 policy: MalformedPolicy: Invalid policy syntax.\n\xe2\x94\x82 status code: 400, request id, host id\n\xe2\x94\x82 \n\xe2\x94\x82 with module.local.aws_s3_bucket_policy.access_to_bucket,\n\xe2\x94\x82 on ../core/main.tf line 55, in resource "aws_s3_bucket_policy" "access_to_bucket":\n\xe2\x94\x82 55: resource "aws_s3_bucket_policy" "access_to_bucket" {\n\xe2\x94\x82 \n在本地和 AWS 中运行都会出现此错误。我猜这是某个地方的语法错误,但据我所知这是正确的。知道出了什么问题吗?
\n你的Principal无效。如果您查看 IAM 用户指南(S3 存储桶策略共享相同的语法,但仅限于存储桶上的操作并组合起来形成最低权限访问控制),您应该会看到如下示例:
"Principal" : {
"AWS": [
"arn:aws:iam::123456789012:root",
"arn:aws:iam::555555555555:root"
]
}
123456789012这使得 IAM 操作仅对两个具有 ID和 的AWS 账户中的用户或角色发生555555555555。
在您的情况下,您希望允许IAM 角色,因此您的策略应如下所示:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::000000000000:role/test_role"},
"Action": ["s3:GetObject", "s3:GetObjectAcl", "s3:ListBucket"],
"Resource": ["arn:aws:s3:::some-bucket/*", "arn:aws:s3:::some-bucket"]
}
]
}
Terraform 允许您自己为 IAM 策略编写 JSON,这可以更轻松地与互联网上的示例进行比较,或者您可以使用数据aws_iam_policy_document源,这将为您提供更多的计划时间验证,因为 Terraform 可以更好地理解您提供的结构它。
与上面等效的政策文档,但作为aws_iam_policy_document数据源,如下所示:
data "aws_iam_policy_document" "bucket_policy" {
statement {
principals {
type = "AWS"
identifiers = ["arn:aws:iam::000000000000:role/test_role"]
}
actions = [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket",
]
resources = [
"arn:aws:s3:::some-bucket",
"arn:aws:s3:::some-bucket/*",
]
}
}
resource "aws_s3_bucket_policy" "access_to_bucket" {
bucket = aws_s3_bucket.some_bucket.id
policy = data.aws_iam_policy_document.bucket_policy.json
}
| 归档时间: |
|
| 查看次数: |
4626 次 |
| 最近记录: |