为 s3 存储桶添加存储桶策略。但在 YAML 中定义它时遇到了多个问题。这是示例 -
S3CURBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
PolicyDocument:
Statement:
- Action:
- 's3:ListBucket'
Resource: !Join [ '', ["arn:aws:s3:::", !Ref S3BucketTest]]
Effect: Allow
Condition:
StringEquals:
'AWS:SourceAccount':
- 12334456676
Principal: '*'
Bucket: !Ref S3BucketTest
S3BucketTest是我在同一个cft中定义的s3存储桶的资源名称
S3BucketTest:
Type: AWS::S3::Bucket
我能够创建 s3 存储桶,没有任何问题,但存储桶策略出现错误。
- 对于上面的yaml,它表示资源名称无效。
- 如果我有多个操作并在 [] 中提及它们,则会引发无效操作和格式错误的策略错误。
- 我还想提及多种资源。
我本质上是想在 YAML 中复制它 -
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "stmt_cross_acct_rs_Access",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::12345678:role/role_rs_1", "arn:aws:iam::12345678:root"]
},
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<demo-bucket>",
"arn:aws:s3:::<demo-bucket>/*"
]
}
]
}
最佳答案
假设您有一个“demobucket”作为存储桶资源或参数,上面的 JSON 在 YAML 中将如下所示:
Version: 2012-10-17
Statement:
- Sid: stmt_cross_acct_rs_Access
Effect: Allow
Principal:
AWS:
- arn:aws:iam::12345678:role/role_rs_1
- arn:aws:iam::12345678:root
Action:
- s3:GetBucketLocation
- s3:GetObject
- s3:ListBucket
- s3:ListBucketMultipartUploads
- s3:ListMultipartUploadParts
- s3:AbortMultipartUpload
- s3:PutObject
Resource:
- !Sub 'arn:aws:s3:::${demobucket}'
- !Sub 'arn:aws:s3:::${demobucket}/*'
这是您应该为您拥有的 YAML 执行的操作:
S3CURBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
PolicyDocument:
Statement:
- Action:
- 's3:ListBucket'
Resource: !GetAtt S3BucketTest.Arn
Effect: Allow
Condition:
StringEquals:
'AWS:SourceAccount':
- 12334456676
Principal: '*'
Bucket: !Ref S3BucketTest
关于amazon-web-services - 无效资源和格式错误的策略错误 - aws cloudformation YAML,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/59615784/