Question

我正在尝试创建自定义资源，以使用cdk将清单配置添加到存储桶我正在打电话给putBucketInventoryConfiguration（）-https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#putBucketInventoryConfiguration-property 但是我被拒绝访问目标存储区的策略-

        config_inventory_role.add_to_policy(iam.PolicyStatement(
        effect=iam.Effect.ALLOW,
        resources=[f'{config_inventory_bucket.bucket_arn}/*'],
        actions=['s3:PutObject'],
        conditions={"ArnLike": {
            "aws:SourceArn": config_upload_bucket.bucket_arn
        },
            "StringEquals": {
            "aws:SourceAccount": [
                kwargs["env"]["aws"]["account"]
            ],
            "s3:x-amz-acl": "bucket-owner-full-control"
        }
        }
    ))

(iotsysteminventoryc231de866a82512a9a84151e276042845F52818C) Failed to create resource. Access Denied

[2020-06-15T08:23:51.589Z]  new CustomResource (/tmp/jsii-kernel-ymFU82/node_modules/@aws-cdk/core/lib/custom-resource.js:23:25)

[2020-06-15T08:23:51.589Z]  \_ new AwsCustomResource (/tmp/jsii-kernel-ymFU82/node_modules/@aws-cdk/custom-resources/lib/aws-custom-resource/aws-custom-resource.js:130:31)

[2020-06-15T08:23:51.589Z]  \_ /usr/local/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7853:49

[2020-06-15T08:23:51.589Z]  \_ Kernel._wrapSandboxCode (/usr/local/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8313:20)

[2020-06-15T08:23:51.589Z]  \_ Kernel._create (/usr/local/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7853:26)

[2020-06-15T08:23:51.589Z]  \_ Kernel.create (/usr/local/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7600:21)

[2020-06-15T08:23:51.589Z]  \_ KernelHost.processRequest (/usr/local/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7388:28)

[2020-06-15T08:23:51.589Z]  \_ KernelHost.run (/usr/local/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7328:14)

[2020-06-15T08:23:51.589Z]  \_ Immediate._onImmediate (/usr/local/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7331:37)

[2020-06-15T08:23:51.589Z]  \_ processImmediate (internal/timers.js:439:21)

Answer 1

我正面临着同样的问题，您是否找到了解决方案。

new AwsCustomResource(this, 'ExportTaskDefToS3', {
   onUpdate: {
      service: 'S3',
      action: 'putObject',
      parameters: {
        ...s3params
      },
      physicalResourceId: PhysicalResourceId.of('ExportTaskDefToS3')
   },
   policy: AwsCustomResourcePolicy.fromStatements([
    new PolicyStatement({
      actions: ["s3:*"],
      resources: [`${props.sourceBucketArn}/*`],
    }),
  ])
});

找到了解决我问题的方法->

我正在创建的自定义资源在帐户B中。 S3存储桶位于帐户A中。我不得不更新帐户A中的S3存储桶策略。

{ “ Version”：“ 2012-10-17”， “声明”：[ { “效果”：“允许”， “校长”：{ “ AWS”：“ arn：aws：iam :: AccountB：user / AccountBUserName” }， “动作”：[ “ s3：GetObject”， “ s3：PutObject”， “ s3：PutObjectAcl” ]， “资源”：[ “ arn：aws：s3 ::: AccountABucketName / *” ] } ] }

错误：创建AWS自定义资源时访问被拒绝

1 个答案: