我有一个正在使用的简单云形成脚本。它创建了许多资源,包括API网关和S3存储桶,我想将其中的前一个资源作为代理服务器进行存储,稍后上传对象时。这是角色定义:
BucketItemApiMethodRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: "*"
Service: apigateway.amazonaws.com
Action: "sts:AssumeRole"
Path: "/"
Policies:
- PolicyName: "tc-bucketitemmethodrole"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "s3:Put*"
Resource: !GetAtt RawBucket.Arn
以下是API网关方法中执行S3投放的相关部分:
Integration:
Type: AWS
Credentials: !GetAtt BucketItemApiMethodRole.Arn
IntegrationHttpMethod: PUT
PassthroughBehavior: WHEN_NO_MATCH
RequestParameters:
integration.request.header.Content-Disposition: method.request.header.Content-Disposition
integration.request.header.Content-Type: method.request.header.Content-Type
integration.request.path.key: method.request.path.item
Uri:
Fn::Join:
- "/"
- - "arn:aws:apigateway:us-east-1:s3:path"
- !Ref RawBucketName
- "{key}"
IntegrationResponses:
- StatusCode: 201
我的问题是:当我将角色的资源设置为“ *”时,它可以正常工作。如图所示,当我指定Arn目录时,我从S3收到“拒绝访问”错误。寻找关于我可能遇到的任何想法。
谢谢
答案 0 :(得分:0)
需要一个BucketPolicy-对其进行修复