目标
创建一个 S3 存储桶,我的服务将向其中写入图像,并且任何人都可以从中读取该图像,因为我将在我的服务的网页上显示该图像。
问题
所以我有一个非常通用的(我认为)S3 存储桶模板,应该允许任何人读取其中的对象:
SomeS3Bucket:
Type: "AWS::S3::Bucket"
Properties:
BucketName: "some-bucket-name"
AccessControl: PublicRead
OwnershipControls:
Rules:
- ObjectOwnership: BucketOwnerPreferred # without it it complains about ownership being set to BucketOwnerEnforced
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: "AES256"
BucketKeyEnabled: false
CorsConfiguration:
CorsRules:
- AllowedHeaders:
- "*"
AllowedMethods:
- "PUT"
- "POST"
- "DELETE"
- "GET"
AllowedOrigins:
- "*"
尝试部署此模板始终会导致如下错误:存储桶无法在启用 BlockPublicAccess 的情况下设置公共(public) ACL(服务:Amazon S3;状态代码:400;错误代码:InvalidBucketAclWithBlockPublicAccessError)
尝试从AWS控制台并使用aws-cli/2.6.4 Python/3.9.11 Linux/5.10.16.3-microsoft-standard-WSL2 exe/x86_64.ubuntu.20提示/关闭创建堆栈.
非常感谢对此的任何帮助。
尝试添加:
PublicAccessBlockConfiguration:
BlockPublicAcls: false
BlockPublicPolicy: false
IgnorePublicAcls: false
RestrictPublicBuckets: false
但这也没有帮助。
还尝试将 ObjectOwnership 设置为 ObjectWriter,检查了我的 AWS 账户级别的 BlockPublicAccess 配置。没有任何迹象表明问题的根本原因。
最佳答案
Amazon 最近开始对新存储桶的创建方式进行更改,请参阅 https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
For new buckets created after this update, all S3 Block Public Access settings will be enabled, and S3 access control lists (ACLs) will be disabled. These defaults are the recommended best practices for securing data in Amazon S3. You can adjust these settings after creating your bucket.
您需要添加 PublicAccessBlockConfiguration,并将 ObjectOwnership 设置为 ObjectWriter - 您已经在控制之下 - 并且在同时确保您最初没有设置AccessControl。 AccessControl 只能在创建存储桶之后进行修改。
关于amazon-web-services - CloudFormation 不断为我的 S3 存储桶模板的部署抛出 InvalidBucketAclWithBlockPublicAccessError,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/76026251/