amazon-s3 - 来自 Terraform 的格式错误的 S3 策略

Question

作为我的 Terraform 部署的一部分，我似乎得到了一个格式错误的策略，并且在查看它时没有发现任何问题，所有 Principals 似乎都已到位并且没有什么看起来与众不同。有人可以找出为什么该政策被认为格式错误吗？

这是抛出的 TF 输出

module.s3-bucket.aws_s3_bucket_policy.bucket_policy: Creating...
  bucket: "" => "the_s3_bucket"
  policy: "" => "{\n  \"Version\":\"2012-10-17\",\n    \"Statement\":[{\n      \"Principal\": \"*\",\n      \"Action\":[\n        \"s3:GetBucketLocation\",\n        \"s3:ListAllMyBuckets\"\n      ],\n        \"Resource\":[\n          \"arn:aws:s3:::*\"\n      ],\n    \"Effect\":\"Allow\"\n  }, {\n    \"Principal\": \"*\",\n    \"Action\":[\n      \"s3:ListBucket\",\n      \"s3:ListBucketMultipartUploads\"\n    ],\n    \"Resource\":[\n      \"arn:aws:s3:::the_s3_bucket\"\n    ],\n    \"Effect\":\"Allow\"\n    }, {\n      \"Principal\": \"*\",\n    \"Action\":[\n      \"s3:GetObject\",\n      \"s3:AbortMultipartUpload\",\n      \"s3:ListMultipartUploadParts\",\n      \"s3:DeleteObject\",\n      \"s3:PutObject\",\n      \"s3:GetObjectAcl\",\n      \"s3:PutObjectAcl\"\n    ],\n    \"Resource\":[\n      \"arn:aws:s3:::the_s3_bucket/*\"\n    ],\n    \"Effect\":\"Allow\"\n  }]\n}\n"

(非详细)错误:

Error applying plan:

1 error(s) occurred:

* module.s3-bucket.aws_s3_bucket_policy.bucket_policy: 1 error(s) occurred:

* aws_s3_bucket_policy.bucket_policy: Error putting S3 policy: MalformedPolicy: Policy has invalid action
    status code: 400, request id: DCAEB510D9FE431C, host id: FwZ187PM8RKZljAZGo1578UvsgW3kwtZpaI2Mom46lu7Jr+NV9Jum8txjsfwdJw0jm9ct0awRWk=

这是它包含的内容的精美打印

{
  "Version":"2012-10-17",
    "Statement":[{
      "Principal": "*",
      "Action":[
        "s3:GetBucketLocation",
        "s3:ListAllMyBuckets"
      ],
        "Resource":[
          "arn:aws:s3:::*"
      ],
    "Effect":"Allow"
  }, {
    "Principal": "*",
    "Action":[
      "s3:ListBucket",
      "s3:ListBucketMultipartUploads"
    ],
    "Resource":[
      "arn:aws:s3:::the_s3_bucket"
    ],
    "Effect":"Allow"
    }, {
      "Principal": "*",
    "Action":[
      "s3:GetObject",
      "s3:AbortMultipartUpload",
      "s3:ListMultipartUploadParts",
      "s3:DeleteObject",
      "s3:PutObject",
      "s3:GetObjectAcl",
      "s3:PutObjectAcl"
    ],
    "Resource":[
      "arn:aws:s3:::the_s3_bucket/*"
    ],
    "Effect":"Allow"
  }]
}

更新

很明显这与 Principal 字段有关，在通过 AWS 控制台运行它后我得到错误

This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies 

Answer 1

s3:ListAllMyBuckets 权限不能应用于 S3 存储桶策略，而是 IAM 策略权限。您还必须在存储桶策略中直接指定该策略附加到的存储桶，而不是对存储桶使用 "Resource": ["*"] 或其他一些通配符。

IAM 策略和 S3 存储桶策略密切相关且重叠很多，但您应将它们视为有时可能需要的更高级别的控制。不幸的是，S3 权限模型非常困惑，并且有多层添加访问控制，来自 bucket ACLs和对象 ACL(包括完全可配置的和 jar 装的)到 bucket policies而且还是直的IAM permissions附加到 IAM 用户或角色。

大多数情况下，最好使用 canned ACLs然后使用 IAM 用户策略来控制谁可以执行 ACL 不允许的额外操作。 User Guide 中有对这些的进一步解释。 .