Question

云形成具有用户，用户访问密钥和策略的S3存储桶。它应该创建堆栈并输出通过SDK使用创建的S3存储桶所需的用户访问密钥。在尝试引用BucketPolicy Principal中的BucketUser ARN时，Bucket Policy会永远停留在CREATING阶段。

使用

成功实现CloudFormation

BucketPolicy: ... Principal: "*"

但是BucketPolicy资源永远停留在CREATE中

BucketPolicy: ... Principal: !GetAtt BucketUser.Arn

这在BucketPolicy: ... Principal: "*"

时成功返回BucketUser.Arn

Outputs:
  BucketUserArn:
    Value: !GetAtt BucketUser.Arn

所需模板：

AWSTemplateFormatVersion: "2010-09-09"
Description: "Creates bucket with bucket policy"
#Metadata: 
Parameters:
  app:
    Type: String
    Description: (required) Application name (Also used for bucket name. Follow S3 bucket name conventions)
    Default: ymessage-bucket-test
Resources:
  BucketUser:
    Type: "AWS::IAM::User"
    Properties: 
      UserName: !Ref app
  UserAccessKey:
    Type: "AWS::IAM::AccessKey"
    Properties: 
      Status: Active
      UserName: !Ref app
    DependsOn: BucketUser
  Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref app
  BucketPolicy:
      Type: "AWS::S3::BucketPolicy"
      Properties: 
        Bucket: !Ref app
        PolicyDocument: 
          Statement: 
            - 
              Action: 
                - "s3:*"
              Effect: "Allow"
              Resource: 
                Fn::Join: 
                  - ""
                  - 
                    - "arn:aws:s3:::"
                    - !Ref app
                    - "/*"
              Principal: !GetAtt BucketUser.Arn
      DependsOn: BucketUser
Outputs:
  AccessKeyId:
    Value: !Ref UserAccessKey
  AccessKeySecret:
    Value: !GetAtt UserAccessKey.SecretAccessKey
  BucketURL:
    Value: !GetAtt Bucket.WebsiteURL
  BucketUserArn:
    Value: !GetAtt BucketUser.Arn

工作模板：

AWSTemplateFormatVersion: "2010-09-09"
Description: "Creates bucket with bucket policy"
#Metadata: 
Parameters:
  app:
    Type: String
    Description: (required) Application name (Also used for bucket name. Follow S3 bucket name conventions)
    Default: ymessage-bucket-test
Resources:
  BucketUser:
    Type: "AWS::IAM::User"
    Properties: 
      UserName: !Ref app
  UserAccessKey:
    Type: "AWS::IAM::AccessKey"
    Properties: 
      Status: Active
      UserName: !Ref app
    DependsOn: BucketUser
  Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref app
  BucketPolicy:
      Type: "AWS::S3::BucketPolicy"
      Properties: 
        Bucket: !Ref app
        PolicyDocument: 
          Statement: 
            - 
              Action: 
                - "s3:*"
              Effect: "Allow"
              Resource: 
                Fn::Join: 
                  - ""
                  - 
                    - "arn:aws:s3:::"
                    - !Ref app
                    - "/*"
              Principal: "*"
      DependsOn: BucketUser
Outputs:
  AccessKeyId:
    Value: !Ref UserAccessKey
  AccessKeySecret:
    Value: !GetAtt UserAccessKey.SecretAccessKey
  BucketURL:
    Value: !GetAtt Bucket.WebsiteURL
  BucketUserArn:
    Value: !GetAtt BucketUser.Arn

Answer 1

发现问题：在BucketPolicy中它可以直接接受Principal: "*"，但如果你想使用arn，请执行以下操作：

Principal: 
  AWS: 
    - !GetAtt BucketUser.Arn

CloudFormation BucketPolicy陷入了CREATE。从未完成创建

1 个答案: