我尝试配置Kinesis Firehose传输流以将文件写入S3。我创建了Firehose流以使用名为att1的角色。
这是att配置附带的政策。我在这里采用了此页面的格式https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-s3
我已经验证了该政策,但我不确定它是否正确。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:*",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::s3bucket",
"arn:aws:s3:::s3bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:us-east-1:515766555555:key/cdee14ca-12b1-4790-9513-d007a3192f43"
],
"Condition": {
"StringEquals": {
"kms:ViaService": "s3.us-east-1.amazonaws.com"
},
"StringLike": {
"kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::s3bucket*"
}
}
}
]
}
配置显然已针对隐私设置进行了编辑,但否则会直接从政策中复制
答案 0 :(得分:0)
我认为您对KMS密钥政策的<input type="image" alt="submit form" onclick="mail()" name="SendButton" id="SendButton" src="./Photos/SendButton.png">
条件是错误的。文档建议这应该是StringLike。
因此,如果您已将firehose配置为使用前缀arn:aws:s3:::<s3bucket>/<prefix>*写入存储区abc,则应如下所示:
def