非公共S3存储桶的AWS ApiGateway代理

时间:2018-09-17 10:12:28

标签: amazon-cloudformation aws-api-gateway

以下cloudformation脚本设置了代理到S3存储桶的Api Gateway方法。

S3BucketPolicy为公共读取访问打开了存储桶,但是AWS UI警告说永远不要这样做。

我尝试将S3BucketPolicy Principal设置为服务apigateway.amazonaws.com,但这会导致访问被拒绝。

1)限制存储桶访问API网关功能的正确方法是什么? (示例YAML很棒)

2)我如何调试此访问被拒绝失败,以获取有关失败原因的更多信息?

3)我应该在哪里寻找关于非常标准的模板代码段的示例代码?

ATTEMPT#1-可以工作,但只能将S3存储桶公开,否则将被拒绝访问 

AWSTemplateFormatVersion: 2010-09-09

Parameters:
  S3BucketName:
    Type: String
    Description: >
      Name for the S3 bucket that contains the nested templates.

Resources:
  RestAPI:
    Type: 'AWS::ApiGateway::RestApi'
    Properties:
      BinaryMediaTypes: 
            - '*/*'
      Name: !Ref 'AWS::StackName'

  RestAPIRootGET:
    Type: 'AWS::ApiGateway::Method'
    Properties:
      AuthorizationType: NONE
      HttpMethod: GET
      Integration:
        IntegrationHttpMethod: GET
        PassthroughBehavior: WHEN_NO_MATCH
        Type: HTTP_PROXY
        Uri: !Sub https://${S3BucketName}.s3.amazonaws.com/static-assets/index.html
      ResourceId: !GetAtt RestAPI.RootResourceId
      RestApiId: !Ref RestAPI
    DependsOn:
      - RestAPI

  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref S3BucketName
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Sid: GetObject
            Effect: Allow
            Principal: "*"
            Action:
              - s3:*
            Resource:
              - !Sub 'arn:aws:s3:::${S3BucketName}/static-assets/*'

我认为也许马上就可以创建一个可以访问存储桶的角色,然后让ApiGateway承担这个角色,但是我很难找到文档来说明如何在cloudformation模板中执行此操作。 (另请参见Michael-sqlbot评论,建议使用方法的凭据属性)

这是我的尝试,但由于访问被拒绝而失败

ATTEMPT#2-访问被拒绝 

AWSTemplateFormatVersion: 2010-09-09

Parameters:
  S3BucketName:
    Type: String
    Description: >
      Name for the S3 bucket that contains the nested templates.


Resources:

  RestAPI:
    Type: 'AWS::ApiGateway::RestApi'
    Properties:
      BinaryMediaTypes: 
            - '*/*'
      Name: !Ref 'AWS::StackName'

  RestAPIRootGET:
    Type: 'AWS::ApiGateway::Method'
    Properties:
      AuthorizationType: NONE
      HttpMethod: GET
      Integration:
        IntegrationHttpMethod: GET
        PassthroughBehavior: WHEN_NO_MATCH
        Type: HTTP_PROXY
        Uri: !Sub https://${S3BucketName}.s3.amazonaws.com/static-assets/index.html
        Credentials: !GetAtt AllowStaticAccessRole.Arn
      ResourceId: !GetAtt RestAPI.RootResourceId
      RestApiId: !Ref RestAPI
    DependsOn:
      - RestAPI
      - AllowStaticAccessRole

  AllowStaticAccessRole: 
    Type: "AWS::IAM::Role"
    Properties: 
      AssumeRolePolicyDocument: 
        Version: "2012-10-17"
        Statement: 
          - 
            Effect: "Allow"
            Principal: 
              Service: 
                - "apigateway.amazonaws.com"
            Action: 
              - "sts:AssumeRole"
      Path: "/"
      Policies: 
        - 
          PolicyName: "AllowStaticAccessPolicy"
          PolicyDocument: 
            Version: "2012-10-17"
            Statement: 
              - 
                Effect: "Allow"
                Action:
                  - s3:*
                Resource:
                  - !Sub 'arn:aws:s3:::${S3BucketName}/static-assets/*'

0 个答案:

没有答案
相关问题
最新问题