如何使用cloudformation更改s3存储桶策略? | 使用cloudformation更改s3存储桶

本文介绍了如何使用cloudformation更改s3存储桶策略?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我希望能够使用cloudformation更改s3存储桶上的策略.但是，当我尝试执行此操作时，会遇到错误:

I would like to be able to change the policies on s3 buckets using cloudformation. However when I attempt to do this I encounter the error:

2017-12-21 18:49:10 UTC   TestBucketpolicyAwsS3Bucketpolicy   CREATE_FAILED        API: s3:PutBucketPolicy Access Denied

以下是因此问题而失败的cloudformation模板的示例:

Here is an example of a cloudformation template that fails due to this issue:

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "",
  "Resources": {
    "TestBucketpolicyAwsS3Bucketpolicy": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "Bucket": "alex-test-bucket-123",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": [
                  "*"
                ]
              },
              "Resource": "arn:aws:s3:::alex-test-bucket-123/*",
              "Action": [
                "s3:GetObject*",
                "s3:DeleteObject*",
                "s3:PutObject*"
              ]
            }
          ]
        }
      }
    }
  }
}

我曾尝试更改IAM用户和我想使用cloudformation管理的实际存储桶的策略，但是没有一个解决方案可以解决该问题.我如何删除此"s3:PutBucketPolicy" 限制?

I have tried changing policies on both my IAM user and the actual bucket I want to manage with cloudformation, but neither solution has resolved the issue. How can I get remove this "s3:PutBucketPolicy" restriction?

我认为问题可能在于，只有IAM角色才能访问"s3:PutBucketPolicy" 操作.我可能需要创建一个具有s3访问权限的角色，然后与运行此cloudformation模板的用户建立信任关系.

I think the issue may be that only IAM roles can access the "s3:PutBucketPolicy" operation. I may need to create a role with s3 access then establish a trust relationship with the user that runs this cloudformation template.

https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html

推荐答案

IAM用户无法直接运行 s3:PutBucketPolicy 操作.您需要创建一个单独的IAM角色，并使用承担IAM角色的信任关系.

IAM users cannot directly run s3:PutBucketPolicy operations. You need to create a separate IAM role and attach it to your user with a trust relationship to assume that IAM role.

您的角色将需要s3和cloudformation访问.以下政策文件将起作用.

Your role will need s3 and cloudformation access. The policy document below will work.

{
    "Version": "2012-10-17",
    "Statement": {
        "Action": [
            "s3:*",
            "cloudformation:*"
        ],
        "Resource": "*",
        "Effect": "Allow"
    }
}

然后需要在配置或 AWS_STS_ROLE_ARN 环境变量以及aws访问密钥中设置IAM角色的地址.

The arn of your IAM role will then need to be set in your config or the AWS_STS_ROLE_ARN environmental variable along with your aws access keys.

一旦担任该角色，便可以更改s3存储桶策略.

Once you assume the role you will then be able to change s3 bucket policies.

请注意，当您在配置或环境变量中设置 AWS_STS_ROLE_ARN 时，这将覆盖用户拥有的所有权限.

Note that this will override any permissions your user has when you set your AWS_STS_ROLE_ARN in your config or environmental variables.

这篇关于如何使用cloudformation更改s3存储桶策略?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！