我正在尝试在 Terraform 中设置 S3 存储桶策略。我在模块 core/main.tf 中编写了以下代码:
resource "aws_s3_bucket_policy" "access_to_bucket" {
bucket = aws_s3_bucket.some_bucket.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["s3:GetObject", "s3:GetObjectAcl", "s3:ListBucket"]
Effect = "Allow"
Principal = "${var.some_variable_name}"
Resource = [
"${aws_s3_bucket.some_bucket.arn}",
"${aws_s3_bucket.some_bucket.arn}/*"
]
},
]
})
}
然后在本地模块中实例化,该模块使用 localstack 在本地运行。
这是生成的计划:
Terraform will perform the following actions:
# module.local.aws_s3_bucket_policy.access_to_bucket will be created
+ resource "aws_s3_bucket_policy" "access_to_bucket" {
+ bucket = "some_bucket"
+ id = (known after apply)
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = [
+ "s3:GetObject",
+ "s3:GetObjectAcl",
+ "s3:ListBucket",
]
+ Effect = "Allow"
+ Principal = "arn:aws:iam::000000000000:role/test_role"
+ Resource = [
+ "arn:aws:s3:::some-bucket/*",
+ "arn:aws:s3:::some-bucket",
]
},
]
+ Version = "2012-10-17"
}
)
}
╷
│ Error: Error putting S3 policy: MalformedPolicy: Invalid policy syntax.
│ status code: 400, request id, host id
│
│ with module.local.aws_s3_bucket_policy.access_to_bucket,
│ on ../core/main.tf line 55, in resource "aws_s3_bucket_policy" "access_to_bucket":
│ 55: resource "aws_s3_bucket_policy" "access_to_bucket" {
│
在本地和 AWS 中运行它最终会出现此错误。我猜这是某个地方的语法错误,但 AFAIK 这是正确的。知道出了什么问题吗?
答案 0 :(得分:1)
您的 Principal 无效。如果您查看 the Principal element 上的 IAM 用户指南(S3 存储桶策略共享相同的语法,但仅限于对存储桶执行的操作并组合以形成最低权限访问控制),您应该会看到如下示例:
"Principal" : {
"AWS": [
"arn:aws:iam::123456789012:root",
"arn:aws:iam::555555555555:root"
]
}
这允许 IAM 操作仅对 ID 为 123456789012 和 555555555555 的两个 AWS 账户中的用户或角色发生。
在您的情况下,您希望允许 an IAM role,因此您的政策应如下所示:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::000000000000:role/test_role"},
"Action": ["s3:GetObject", "s3:GetObjectAcl", "s3:ListBucket"],
"Resource": ["arn:aws:s3:::some-bucket/*", "arn:aws:s3:::some-bucket"]
}
]
}
Terraform 允许您自己为您的 IAM 策略编写 JSON,这可以更容易地与 Internet 上的示例进行比较,或者您可以使用 aws_iam_policy_document data source 这将为您提供更多的计划时间验证,因为 Terraform 可以更好理解你给出的结构。
与上述等效的策略文档但作为 aws_iam_policy_document 数据源如下所示:
data "aws_iam_policy_document" "bucket_policy" {
statement {
principals {
type = "AWS"
identifiers = ["arn:aws:iam::000000000000:role/test_role"]
}
actions = [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket",
]
resources = [
"arn:aws:s3:::some-bucket",
"arn:aws:s3:::some-bucket/*",
]
}
}
resource "aws_s3_bucket_policy" "access_to_bucket" {
bucket = aws_s3_bucket.some_bucket.id
policy = data.aws_iam_policy_document.bucket_policy.json
}