存储桶创建导致未授权

存储桶创建导致未授权

本文介绍了Terraform S3 存储桶创建导致未授权的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

创建 S3 存储桶需要什么 AWS 权限,这会导致 ec2/DescribeAccountAttributes 和 s3/CreateBucket 上的 HTTP/1.1 403 Forbidden.或者如何获取有关 AWS 方面的更多信息以进行进一步的故障排除.

What AWS permission is required to create a S3 bucket, which causes HTTP/1.1 403 Forbidden on ec2/DescribeAccountAttributes and s3/CreateBucket. Or how to get further information on AWS side to further trouble-shoot.

将 EC2 和 S3 的所有权限添加到用户帐户,但没有解决问题.

Added all permissions on EC2 and S3 to the user account, but did not solve the problem.

如果我拥有帐户所有者的所有权限(使用不同的帐户),则不会发生这种情况.

If I have all the permission as the account owner (using different account), this will not happen.

正在尝试创建 S3 存储桶.

Trying to create a S3 bucket.

resource "aws_s3_bucket" "s3_bucket_tfstate" {
  bucket = "${var.s3_bucket_tfstate}"
  acl    = "private"
}

但是它会导致 403 和下面的 TF_LOG=DEBUG.

However it causes 403 with the TF_LOG=DEBUG below.

2017/12/06 18:55:35 [DEBUG] [aws-sdk-go] DEBUG: Request ec2/DescribeAccountAttributes Details:
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: ec2.ap-southeast-2.amazonaws.com
User-Agent: aws-sdk-go/1.12.35 (go1.9; darwin; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.11.0-beta1
Content-Length: 87
Authorization: AWS4-HMAC-SHA256 Credential=<credential>/20171206/ap-southeast-2/ec2/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date, Signature=****
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Amz-Date: 20171206T075535Z
Accept-Encoding: gzip

Action=DescribeAccountAttributes&AttributeName.1=supported-platforms&Version=2016-11-15
-----------------------------------------------------
2017/12/06 18:55:35 [DEBUG] [aws-sdk-go] DEBUG: Response ec2/DescribeAccountAttributes Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Connection: close
Transfer-Encoding: chunked
Date: Wed, 06 Dec 2017 07:55:37 GMT
Server: AmazonEC2


-----------------------------------------------------
2017/12/06 18:55:35 [DEBUG] [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>UnauthorizedOperation</Code><Message>You are not authorized to perform this operation.</Message></Error></Errors><RequestID>0b9480d5-a687-46f8-a0ca-a212c37ce3fb</RequestID></Response>
2017/12/06 18:55:35 [DEBUG] [aws-sdk-go] DEBUG: Validate Response ec2/DescribeAccountAttributes failed, not retrying, error UnauthorizedOperation: You are not authorized to perform this operation.


2017/12/06 19:55:52 [DEBUG] [aws-sdk-go] DEBUG: Request s3/CreateBucket Details:
---[ REQUEST POST-SIGN ]-----------------------------
PUT / HTTP/1.1
Host: mule-cdr-billing-adapter-config-tfstate.s3.ap-southeast-2.amazonaws.com
User-Agent: aws-sdk-go/1.12.35 (go1.9; darwin; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.11.0-beta1
Content-Length: 158
Authorization: AWS4-HMAC-SHA256 Credential=****/20171206/ap-southeast-2/s3/aws4_request, SignedHeaders=content-length;host;x-amz-acl;x-amz-content-sha256;x-amz-date, Signature=****
X-Amz-Acl: private
X-Amz-Content-Sha256: 8bfaf12a44a138dc6f38eb5c291558f2c551b0f18ab6e2a5e7f9a00176b25240
X-Amz-Date: 20171206T085552Z
Accept-Encoding: gzip

<CreateBucketConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><LocationConstraint>ap-southeast-2</LocationConstraint></CreateBucketConfiguration>
-----------------------------------------------------
2017/12/06 19:55:53 [DEBUG] [aws-sdk-go] DEBUG: Response s3/CreateBucket Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Connection: close
Transfer-Encoding: chunked
Content-Type: application/xml
Date: Wed, 06 Dec 2017 08:55:55 GMT
Server: AmazonS3
X-Amz-Id-2: oAttLYQ1qxta2qs03RD79G8xZxTSfDtauQZyeQ8lsq2+4LWBghg+bGjpNvL6Xl1qPnIwE8YOyRs=
X-Amz-Request-Id: 9B562398EEFDF96E


-----------------------------------------------------
2017/12/06 19:55:53 [DEBUG] [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>9B562398EEFDF96E</RequestId><HostId>oAttLYQ1qxta2qs03RD79G8xZxTSfDtauQZyeQ8lsq2+4LWBghg+bGjpNvL6Xl1qPnIwE8YOyRs=</HostId></Error>
2017/12/06 19:55:53 [DEBUG] [aws-sdk-go] DEBUG: Validate Response s3/CreateBucket failed, not retrying, error AccessDenied: Access Denied
    status code: 403, request id: 9B562398EEFDF96E, host id: oAttLYQ1qxta2qs03RD79G8xZxTSfDtauQZyeQ8lsq2+4LWBghg+bGjpNvL6Xl1qPnIwE8YOyRs=

推荐答案

原因

通过 IAM 策略模拟器模拟 AWS S3 创建存储桶 发现阻止创建的策略是 MFA.

Cause

Simulated the AWS S3 create bucket via the IAM Policy simulator and found the policy preventing the creation was MFA.

session=$(aws sts get-session-token --profile $AWS_PROFILE --serial-number $SECURITY_DEVICE_ARN --token-code $MFA_TOKEN)
export AWS_ACCESS_KEY_ID=$(echo $session | jq  -r .Credentials.AccessKeyId)
export AWS_SECRET_ACCESS_KEY=$(echo $session | jq  -r .Credentials.SecretAccessKey)
export AWS_SESSION_TOKEN=$(echo $session | jq -r .Credentials.SessionToken)
export AWS_MFA_SERIAL_NUMBER=${MFA_TOKEN}

然后运行 ​​terraform.

Then run the terraform.

这篇关于Terraform S3 存储桶创建导致未授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-22 08:22