我无法在AWS PHP SDK中创建IAM策略,并遇到MalformedPolicyDocument错误。
策略JSON对我来说似乎很好,所以我不确定为什么它会中断。我敢肯定这是一个简单的愚蠢,我做错了,只是没看到。
这里的用例是我们创建一个新的IAM用户,一个新的S3存储桶和一个新策略,该策略仅限制对新存储桶的访问,然后将该策略附加到新用户。
IAM用户和S3存储桶已创建,但是一旦创建新策略,它就会因MalformedPolicyDocument错误而中断。
请记住,此代码不是用于生产的,仅用于锻炼流程并使基本方法起作用,这就是为什么在此处的代码中直接使用键的原因。我想我最好把它扔在那里,这样答复就不会挂在那方面了。
这是我用来测试工作流程的代码:
// VARIABLES
$key = 'SOMEKEY';
$secretKey = 'SOMESECRETKEY';
$domain = 'somedomain.com';
$stagingDomain = 'somestagingdomain.com';
$userName = 'somedomaincom';
$BUCKET_NAME = 'somedomaincom';
$s3Arn = 'arn:aws:s3:::' . $BUCKET_NAME;
$policyName = 'somedomaincomPolicy';
$policyArn = 'arn:aws:iam::aws:policy/' . $policyName;
require 'aws/aws-autoloader.php';
use Aws\S3\S3Client;
use Aws\Iam\IamClient;
use Aws\Exception\AwsException;
$iamClient = new IamClient([
'version' => 'latest',
'region' => 'us-west-2',
'credentials' => [
'key' => $key,
'secret' => $secretKey,
],
]);
try {
$result = $iamClient->createUser(array(
'UserName' => $userName,
));
var_dump($result);
} catch (AwsException $e) {
echo $e->getMessage();
error_log($e->getMessage());
}
//Create a S3Client
$s3Client = new S3Client([
'version' => 'latest',
'region' => 'us-west-2',
'credentials' => [ // CHANGE THIS TO A DIFFERENT METHOD BEFORE MOVING TO PRODUCTION
'key' => $key,
'secret' => $secretKey,
],
]);
//Creating S3 Bucket
try {
$result = $s3Client->createBucket([
'Bucket' => $BUCKET_NAME,
]);
} catch (AwsException $e) {
// output error message if fails
echo $e->getMessage();
echo "\n";
}
// SET CORS RULES
$cors = array(array(
'AllowedOrigins' => array($domain, $stagingDomain),
'AllowedMethods' => array('POST', 'GET', 'PUT'),
'MaxAgeSeconds' => 3000,
'AllowedHeaders' => array('*')
));
// ADD CORS RULES
$result = $s3Client->putBucketCors(array(
'Bucket' => $BUCKET_NAME,
'CORSConfiguration' => array('CORSRules' => $cors)
));
// CREATE IAM POLICY - BREAKS ON THIS, MALFORMED POLICY???
$myManagedPolicy = '{
"Version": "latest",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"' . $s3Arn . '",
"'. $s3Arn . '/*"
]
}
]
}';
try {
$result = $iamClient->createPolicy(array(
'PolicyName' => $policyName,
'PolicyDocument' => $myManagedPolicy
));
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
error_log($e->getMessage());
echo $e->getMessage();
}
// ATTACH IAM POLICY TO USER
try {
$attachedUserPolicies = $iamClient->getIterator('ListAttachedUserPolicies', ([
'UserName' => $userName,
]));
if (count($attachedUserPolicies) > 0) {
foreach ($attachedUserPolicies as $attachedUserPolicy) {
if ($attachedUserPolicy['PolicyName'] == $policyName) {
echo $policyName . " is already attached to this role. \n";
exit();
}
}
}
$result = $iamClient->attachUserPolicy(array(
'UserName' => $userName,
'PolicyArn' => $policyArn,
));
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
error_log($e->getMessage());
echo $e->getMessage();
}
我尝试了多种格式化策略JSON的方式,例如将[]添加到操作和资源中,以及对值进行硬编码而不是使用变量。
这似乎很简单,但是我已经碰壁了。知道我在哪里错了吗?
答案 0 :(得分:0)
当然,一旦我发布此邮件,我就会知道。
我认为我的问题是尝试使用“最新”版本,因此将其更改为2012-10-17。
如果这可以帮助其他想要做类似事情的人,这里是完整的工作代码来创建新的IAM用户,为新用户创建访问密钥,创建新的S3存储桶,在S3存储桶上设置CORS以允许从域和登台域,创建一个新策略以将访问限制为仅对新S3存储桶,然后将该新策略附加到新IAM用户:
// VARIABLES
$key = 'YOURKEY';
$secretKey = 'YOURSECRETKEY';
$iamUserKey = '';
$iamUserSecretKey = '';
$domain = 'somedomain.com';
$stagingDomain = 'somestagingdomain.com';
$userName = 'someusername';
$BUCKET_NAME = 'somebucketname';
$s3Arn = 'arn:aws:s3:::' . $BUCKET_NAME;
$policyName = 'somepolicynamePolicy';
$policyArn = '';
require 'aws/aws-autoloader.php';
use Aws\S3\S3Client;
use Aws\Iam\IamClient;
use Aws\Exception\AwsException;
// CREATE IAM CLIENT
$iamClient = new IamClient([
'version' => 'latest',
'region' => 'us-west-2',
'credentials' => [ // CHANGE THIS TO A DIFFERENT METHOD BEFORE MOVING TO PRODUCTION
'key' => $key,
'secret' => $secretKey,
],
]);
// CREATE IAM USER
try {
$result = $iamClient->createUser(array(
'UserName' => $userName,
));
//var_dump($result);
} catch (AwsException $e) {
echo $e->getMessage();
error_log($e->getMessage());
}
// CREATE IAM USER ACCESS KEYS
try {
$result = $iamClient->createAccessKey([
'UserName' => $userName,
]);
$iamUserKey = $result['AccessKey']['AccessKeyId'];
$iamUserSecretKey= $result['AccessKey']['SecretAccessKey'];
} catch (AwsException $e) {
// output error message if fails
error_log($e->getMessage());
}
// CREATE S3 CLIENT
$s3Client = new S3Client([
'version' => 'latest',
'region' => 'us-west-2',
'credentials' => [ // CHANGE THIS TO A DIFFERENT METHOD BEFORE MOVING TO PRODUCTION
'key' => $key,
'secret' => $secretKey,
],
]);
// CREATE S3 BUCKET
try {
$result = $s3Client->createBucket([
'Bucket' => $BUCKET_NAME,
]);
} catch (AwsException $e) {
echo $e->getMessage();
echo "\n";
}
// SET CORS RULES
$cors = array(array(
'AllowedOrigins' => array($domain, $stagingDomain),
'AllowedMethods' => array('POST', 'GET', 'PUT'),
'MaxAgeSeconds' => 3000,
'AllowedHeaders' => array('*')
));
// ADD CORS RULES
$result = $s3Client->putBucketCors(array(
'Bucket' => $BUCKET_NAME,
'CORSConfiguration' => array('CORSRules' => $cors)
));
// CREATE IAM POLICY - BREAKS ON THIS, MALFORMED POLICY???
$myManagedPolicy = '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "' . $s3Arn . '"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "'. $s3Arn . '/*"
}
]
}';
try {
$result = $iamClient->createPolicy(array(
// PolicyName is required
'PolicyName' => $policyName,
// PolicyDocument is required
'PolicyDocument' => $myManagedPolicy
));
//var_dump($result);
$policyArn = $result['Policy']['Arn'];
} catch (AwsException $e) {
// output error message if fails
error_log($e->getMessage());
echo $e->getMessage();
}
// ATTACH IAM POLICY TO USER
try {
$attachedUserPolicies = $iamClient->getIterator('ListAttachedUserPolicies', ([
'UserName' => $userName,
]));
if (count($attachedUserPolicies) > 0) {
foreach ($attachedUserPolicies as $attachedUserPolicy) {
if ($attachedUserPolicy['PolicyName'] == $policyName) {
echo $policyName . " is already attached to this role. \n";
exit();
}
}
}
$result = $iamClient->attachUserPolicy(array(
// UserName is required
'UserName' => $userName,
// PolicyArn is required
'PolicyArn' => $policyArn,
));
//var_dump($result);
} catch (AwsException $e) {
// output error message if fails
error_log($e->getMessage());
echo $e->getMessage();
}
请勿按原样使用此代码,不应像在此测试示例中一样将访问密钥直接添加到代码中。您应该查看在SDK中进行身份验证的各种方法,并使用最适合您情况的方法。