Terraform S3存储桶创建导致未经授权

时间:2017-12-06 08:30:38

标签: amazon-s3 permissions terraform

问题

创建S3存储桶需要哪些AWS权限,这会导致ec2 / DescribeAccountAttributes和s3 / CreateBucket上的HTTP / 1.1 403 Forbidden。或者如何在AWS端获得更多信息以进一步解决问题。

将EC2和S3的所有权限添加到用户帐户,但未解决问题。

注意

如果我拥有帐户所有者的所有权限(使用其他帐户),则不会发生这种情况。

问题

尝试创建S3存储桶。

resource "aws_s3_bucket" "s3_bucket_tfstate" {
  bucket = "${var.s3_bucket_tfstate}"
  acl    = "private"
}    

然而,它导致403下面的TF_LOG = DEBUG。

2017/12/06 18:55:35 [DEBUG] [aws-sdk-go] DEBUG: Request ec2/DescribeAccountAttributes Details:
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: ec2.ap-southeast-2.amazonaws.com
User-Agent: aws-sdk-go/1.12.35 (go1.9; darwin; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.11.0-beta1
Content-Length: 87
Authorization: AWS4-HMAC-SHA256 Credential=<credential>/20171206/ap-southeast-2/ec2/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date, Signature=****
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Amz-Date: 20171206T075535Z
Accept-Encoding: gzip

Action=DescribeAccountAttributes&AttributeName.1=supported-platforms&Version=2016-11-15
-----------------------------------------------------
2017/12/06 18:55:35 [DEBUG] [aws-sdk-go] DEBUG: Response ec2/DescribeAccountAttributes Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Connection: close
Transfer-Encoding: chunked
Date: Wed, 06 Dec 2017 07:55:37 GMT
Server: AmazonEC2


-----------------------------------------------------
2017/12/06 18:55:35 [DEBUG] [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>UnauthorizedOperation</Code><Message>You are not authorized to perform this operation.</Message></Error></Errors><RequestID>0b9480d5-a687-46f8-a0ca-a212c37ce3fb</RequestID></Response>
2017/12/06 18:55:35 [DEBUG] [aws-sdk-go] DEBUG: Validate Response ec2/DescribeAccountAttributes failed, not retrying, error UnauthorizedOperation: You are not authorized to perform this operation.


2017/12/06 19:55:52 [DEBUG] [aws-sdk-go] DEBUG: Request s3/CreateBucket Details:
---[ REQUEST POST-SIGN ]-----------------------------
PUT / HTTP/1.1
Host: mule-cdr-billing-adapter-config-tfstate.s3.ap-southeast-2.amazonaws.com
User-Agent: aws-sdk-go/1.12.35 (go1.9; darwin; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.11.0-beta1
Content-Length: 158
Authorization: AWS4-HMAC-SHA256 Credential=****/20171206/ap-southeast-2/s3/aws4_request, SignedHeaders=content-length;host;x-amz-acl;x-amz-content-sha256;x-amz-date, Signature=****
X-Amz-Acl: private
X-Amz-Content-Sha256: 8bfaf12a44a138dc6f38eb5c291558f2c551b0f18ab6e2a5e7f9a00176b25240
X-Amz-Date: 20171206T085552Z
Accept-Encoding: gzip

<CreateBucketConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><LocationConstraint>ap-southeast-2</LocationConstraint></CreateBucketConfiguration>
-----------------------------------------------------
2017/12/06 19:55:53 [DEBUG] [aws-sdk-go] DEBUG: Response s3/CreateBucket Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Connection: close
Transfer-Encoding: chunked
Content-Type: application/xml
Date: Wed, 06 Dec 2017 08:55:55 GMT
Server: AmazonS3
X-Amz-Id-2: oAttLYQ1qxta2qs03RD79G8xZxTSfDtauQZyeQ8lsq2+4LWBghg+bGjpNvL6Xl1qPnIwE8YOyRs=
X-Amz-Request-Id: 9B562398EEFDF96E


-----------------------------------------------------
2017/12/06 19:55:53 [DEBUG] [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>9B562398EEFDF96E</RequestId><HostId>oAttLYQ1qxta2qs03RD79G8xZxTSfDtauQZyeQ8lsq2+4LWBghg+bGjpNvL6Xl1qPnIwE8YOyRs=</HostId></Error>
2017/12/06 19:55:53 [DEBUG] [aws-sdk-go] DEBUG: Validate Response s3/CreateBucket failed, not retrying, error AccessDenied: Access Denied
    status code: 403, request id: 9B562398EEFDF96E, host id: oAttLYQ1qxta2qs03RD79G8xZxTSfDtauQZyeQ8lsq2+4LWBghg+bGjpNvL6Xl1qPnIwE8YOyRs=

1 个答案:

答案 0 :(得分:1)

原因

通过IAM Policy simulator模拟AWS S3创建存储桶,并发现阻止创建的策略是MFA。

解决方案

session=$(aws sts get-session-token --profile $AWS_PROFILE --serial-number $SECURITY_DEVICE_ARN --token-code $MFA_TOKEN)
export AWS_ACCESS_KEY_ID=$(echo $session | jq  -r .Credentials.AccessKeyId)
export AWS_SECRET_ACCESS_KEY=$(echo $session | jq  -r .Credentials.SecretAccessKey)
export AWS_SESSION_TOKEN=$(echo $session | jq -r .Credentials.SessionToken)
export AWS_MFA_SERIAL_NUMBER=${MFA_TOKEN}

然后运行terraform。