问题描述
我希望能够使用cloudformation更改s3存储桶上的策略.但是,当我尝试执行此操作时,会遇到错误:
I would like to be able to change the policies on s3 buckets using cloudformation. However when I attempt to do this I encounter the error:
2017-12-21 18:49:10 UTC TestBucketpolicyAwsS3Bucketpolicy CREATE_FAILED API: s3:PutBucketPolicy Access Denied
以下是因此问题而失败的cloudformation模板的示例:
Here is an example of a cloudformation template that fails due to this issue:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "",
"Resources": {
"TestBucketpolicyAwsS3Bucketpolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": "alex-test-bucket-123",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Resource": "arn:aws:s3:::alex-test-bucket-123/*",
"Action": [
"s3:GetObject*",
"s3:DeleteObject*",
"s3:PutObject*"
]
}
]
}
}
}
}
}
我曾尝试更改IAM用户和我想使用cloudformation管理的实际存储桶的策略,但是没有一个解决方案可以解决该问题.我如何删除此"s3:PutBucketPolicy"
限制?
I have tried changing policies on both my IAM user and the actual bucket I want to manage with cloudformation, but neither solution has resolved the issue. How can I get remove this "s3:PutBucketPolicy"
restriction?
我认为问题可能在于,只有IAM角色才能访问"s3:PutBucketPolicy"
操作.我可能需要创建一个具有s3访问权限的角色,然后与运行此cloudformation模板的用户建立信任关系.
I think the issue may be that only IAM roles can access the "s3:PutBucketPolicy"
operation. I may need to create a role with s3 access then establish a trust relationship with the user that runs this cloudformation template.
https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html
推荐答案
IAM用户无法直接运行 s3:PutBucketPolicy
操作.您需要创建一个单独的IAM角色,并使用承担IAM角色的信任关系.
IAM users cannot directly run s3:PutBucketPolicy
operations. You need to create a separate IAM role and attach it to your user with a trust relationship to assume that IAM role.
您的角色将需要s3和cloudformation访问.以下政策文件将起作用.
Your role will need s3 and cloudformation access. The policy document below will work.
{
"Version": "2012-10-17",
"Statement": {
"Action": [
"s3:*",
"cloudformation:*"
],
"Resource": "*",
"Effect": "Allow"
}
}
然后需要在配置或 AWS_STS_ROLE_ARN
环境变量以及aws访问密钥中设置IAM角色的地址.
The arn of your IAM role will then need to be set in your config or the AWS_STS_ROLE_ARN
environmental variable along with your aws access keys.
一旦担任该角色,便可以更改s3存储桶策略.
Once you assume the role you will then be able to change s3 bucket policies.
请注意,当您在配置或环境变量中设置 AWS_STS_ROLE_ARN
时,这将覆盖用户拥有的所有权限.
Note that this will override any permissions your user has when you set your AWS_STS_ROLE_ARN
in your config or environmental variables.
这篇关于如何使用cloudformation更改s3存储桶策略?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!