好像我在Terraform部署中收到了格式错误的策略,并且在查看该策略时未发现任何问题,所有Principals
似乎都在适当的位置,看起来没有什么< em>与众不同。有人可以找出为什么该政策被认为格式不正确吗?
这是正在抛出的TF输出
module.s3-bucket.aws_s3_bucket_policy.bucket_policy: Creating...
bucket: "" => "the_s3_bucket"
policy: "" => "{\n \"Version\":\"2012-10-17\",\n \"Statement\":[{\n \"Principal\": \"*\",\n \"Action\":[\n \"s3:GetBucketLocation\",\n \"s3:ListAllMyBuckets\"\n ],\n \"Resource\":[\n \"arn:aws:s3:::*\"\n ],\n \"Effect\":\"Allow\"\n }, {\n \"Principal\": \"*\",\n \"Action\":[\n \"s3:ListBucket\",\n \"s3:ListBucketMultipartUploads\"\n ],\n \"Resource\":[\n \"arn:aws:s3:::the_s3_bucket\"\n ],\n \"Effect\":\"Allow\"\n }, {\n \"Principal\": \"*\",\n \"Action\":[\n \"s3:GetObject\",\n \"s3:AbortMultipartUpload\",\n \"s3:ListMultipartUploadParts\",\n \"s3:DeleteObject\",\n \"s3:PutObject\",\n \"s3:GetObjectAcl\",\n \"s3:PutObjectAcl\"\n ],\n \"Resource\":[\n \"arn:aws:s3:::the_s3_bucket/*\"\n ],\n \"Effect\":\"Allow\"\n }]\n}\n"
(非详细)错误:
Error applying plan:
1 error(s) occurred:
* module.s3-bucket.aws_s3_bucket_policy.bucket_policy: 1 error(s) occurred:
* aws_s3_bucket_policy.bucket_policy: Error putting S3 policy: MalformedPolicy: Policy has invalid action
status code: 400, request id: DCAEB510D9FE431C, host id: FwZ187PM8RKZljAZGo1578UvsgW3kwtZpaI2Mom46lu7Jr+NV9Jum8txjsfwdJw0jm9ct0awRWk=
这是其中包含的精美印刷品
{
"Version":"2012-10-17",
"Statement":[{
"Principal": "*",
"Action":[
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource":[
"arn:aws:s3:::*"
],
"Effect":"Allow"
}, {
"Principal": "*",
"Action":[
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource":[
"arn:aws:s3:::the_s3_bucket"
],
"Effect":"Allow"
}, {
"Principal": "*",
"Action":[
"s3:GetObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:DeleteObject",
"s3:PutObject",
"s3:GetObjectAcl",
"s3:PutObjectAcl"
],
"Resource":[
"arn:aws:s3:::the_s3_bucket/*"
],
"Effect":"Allow"
}]
}
更新
显然,这与Principal
字段有关,在通过AWS控制台运行此错误之后,我收到了错误消息
This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies
答案 0 :(得分:2)
s3:ListAllMyBuckets
权限不能应用于S3存储桶策略,而是IAM策略权限。您还必须在存储桶策略中直接指定该策略所附加的存储桶,而不是对存储桶使用"Resource": ["*"]
或其他通配符。
IAM策略和S3存储桶策略密切相关并且重叠很多,但是您应该将它们视为有时可能需要的进一步控制级别。不幸的是,S3权限模型非常混乱,并且具有多层添加访问控制的功能,从bucket ACLs和对象ACL(包括完全可配置的ACL和罐头ACL)到bucket policies以及直接的IAM permissions附加到IAM用户或角色。
大多数时候,最好使用canned ACLs,然后使用IAM用户策略来控制谁可以执行ACL不允许的其他操作。 User Guide中对此有进一步的解释。