为什么此 AWS CloudFormation 脚本会抛出 "Policy contains a statement with one or more invalid principals" 错误?
Why does this AWS CloudFormation script throw "Policy contains a statement with one or more invalid principals" error?
我正在尝试:
- 创建 CMK
- 创建一个 requires/enforces 使用的新存储桶
CMK
代码来自here
AWSTemplateFormatVersion: 2010-09-09
Description: Example template with Customer Master Key and S3 bucket
Resources:
Bucket:
Type: "AWS::S3::Bucket"
DeletionPolicy: Retain
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${CMKAlias}"
SSEAlgorithm: "aws:kms"
CMKAlias:
Type: "AWS::KMS::Alias"
Properties:
AliasName: "alias/test/cmk"
TargetKeyId: !Ref CMK
CMK:
Type: "AWS::KMS::Key"
Properties:
Description: "My CMK"
Enabled: True
EnableKeyRotation: true
KeyPolicy:
Version: "2012-10-17"
Statement:
- Sid: "Allow root IAM"
Effect: "Allow"
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/root"
Action:
- "kms:*"
Resource: "*"
Outputs:
CMKId:
Value: !Ref CMK
CMKArn:
Value: !GetAtt CMK.Arn
CMKAliasArn:
Value: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${CMKAlias}"
Bucket:
Value: !Ref Bucket
错误是:
The following resource(s) failed to create: [CMK]. . Rollback requested by user.
Policy contains a statement with one or more invalid principals.
(Service: AWSKMS; Status Code: 400;
Error Code: MalformedPolicyDocumentException;
Request ID: zzzzzz-zzzzz-zzzzz)
我认为问题出在这一行:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/root"
我从 intrinsic-function-reference-sub that !Sub is a function to replace values, and I see from pseudo-parameter-reference 中看到 ${AWS::AccountId} 是一个有效的伪参数,所以我不明白为什么该行失败。
我从 how-to-generate-the-aws-root-account-arn-in-cloudformation 看到这被认为是 YAML 中的有效方式:
!Sub arn:aws:iam::${AWS::AccountId}:root
您的缩进不正确。
按以下方式尝试:
KeyPolicy:
Version: "2012-10-17"
Statement:
- Sid: "Allow root IAM"
Effect: "Allow"
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/root"
Action:
- "kms:*"
Resource: "*"
我正在尝试:
- 创建 CMK
- 创建一个 requires/enforces 使用的新存储桶 CMK
代码来自here
AWSTemplateFormatVersion: 2010-09-09
Description: Example template with Customer Master Key and S3 bucket
Resources:
Bucket:
Type: "AWS::S3::Bucket"
DeletionPolicy: Retain
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${CMKAlias}"
SSEAlgorithm: "aws:kms"
CMKAlias:
Type: "AWS::KMS::Alias"
Properties:
AliasName: "alias/test/cmk"
TargetKeyId: !Ref CMK
CMK:
Type: "AWS::KMS::Key"
Properties:
Description: "My CMK"
Enabled: True
EnableKeyRotation: true
KeyPolicy:
Version: "2012-10-17"
Statement:
- Sid: "Allow root IAM"
Effect: "Allow"
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/root"
Action:
- "kms:*"
Resource: "*"
Outputs:
CMKId:
Value: !Ref CMK
CMKArn:
Value: !GetAtt CMK.Arn
CMKAliasArn:
Value: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${CMKAlias}"
Bucket:
Value: !Ref Bucket
错误是:
The following resource(s) failed to create: [CMK]. . Rollback requested by user.
Policy contains a statement with one or more invalid principals.
(Service: AWSKMS; Status Code: 400;
Error Code: MalformedPolicyDocumentException;
Request ID: zzzzzz-zzzzz-zzzzz)
我认为问题出在这一行:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/root"
我从 intrinsic-function-reference-sub that !Sub is a function to replace values, and I see from pseudo-parameter-reference 中看到 ${AWS::AccountId} 是一个有效的伪参数,所以我不明白为什么该行失败。
我从 how-to-generate-the-aws-root-account-arn-in-cloudformation 看到这被认为是 YAML 中的有效方式:
!Sub arn:aws:iam::${AWS::AccountId}:root
您的缩进不正确。
按以下方式尝试:
KeyPolicy:
Version: "2012-10-17"
Statement:
- Sid: "Allow root IAM"
Effect: "Allow"
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/root"
Action:
- "kms:*"
Resource: "*"