来自 Terraform 的格式错误的 S3 策略
Malformed S3 policy from Terraform
作为我的 Terraform 部署的一部分,我似乎得到了一个格式错误的策略,并且在查看它时没有发现任何问题,所有 Principals
似乎都已到位但没有任何问题看起来与众不同。有人可以找出为什么认为此政策格式不正确吗?
这是抛出的 TF 输出
module.s3-bucket.aws_s3_bucket_policy.bucket_policy: Creating...
bucket: "" => "the_s3_bucket"
policy: "" => "{\n \"Version\":\"2012-10-17\",\n \"Statement\":[{\n \"Principal\": \"*\",\n \"Action\":[\n \"s3:GetBucketLocation\",\n \"s3:ListAllMyBuckets\"\n ],\n \"Resource\":[\n \"arn:aws:s3:::*\"\n ],\n \"Effect\":\"Allow\"\n }, {\n \"Principal\": \"*\",\n \"Action\":[\n \"s3:ListBucket\",\n \"s3:ListBucketMultipartUploads\"\n ],\n \"Resource\":[\n \"arn:aws:s3:::the_s3_bucket\"\n ],\n \"Effect\":\"Allow\"\n }, {\n \"Principal\": \"*\",\n \"Action\":[\n \"s3:GetObject\",\n \"s3:AbortMultipartUpload\",\n \"s3:ListMultipartUploadParts\",\n \"s3:DeleteObject\",\n \"s3:PutObject\",\n \"s3:GetObjectAcl\",\n \"s3:PutObjectAcl\"\n ],\n \"Resource\":[\n \"arn:aws:s3:::the_s3_bucket/*\"\n ],\n \"Effect\":\"Allow\"\n }]\n}\n"
(非详细)错误:
Error applying plan:
1 error(s) occurred:
* module.s3-bucket.aws_s3_bucket_policy.bucket_policy: 1 error(s) occurred:
* aws_s3_bucket_policy.bucket_policy: Error putting S3 policy: MalformedPolicy: Policy has invalid action
status code: 400, request id: DCAEB510D9FE431C, host id: FwZ187PM8RKZljAZGo1578UvsgW3kwtZpaI2Mom46lu7Jr+NV9Jum8txjsfwdJw0jm9ct0awRWk=
这是一份漂亮的印刷品它包含的内容
{
"Version":"2012-10-17",
"Statement":[{
"Principal": "*",
"Action":[
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource":[
"arn:aws:s3:::*"
],
"Effect":"Allow"
}, {
"Principal": "*",
"Action":[
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource":[
"arn:aws:s3:::the_s3_bucket"
],
"Effect":"Allow"
}, {
"Principal": "*",
"Action":[
"s3:GetObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:DeleteObject",
"s3:PutObject",
"s3:GetObjectAcl",
"s3:PutObjectAcl"
],
"Resource":[
"arn:aws:s3:::the_s3_bucket/*"
],
"Effect":"Allow"
}]
}
更新
很明显这与 Principal
字段有关,在通过 AWS 控制台 运行 之后我得到错误
This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies
s3:ListAllMyBuckets
权限不能应用于 S3 存储桶策略,而是 IAM 策略权限。您还必须在存储桶策略中直接指定该策略附加到的存储桶,而不是对存储桶使用 "Resource": ["*"]
或其他一些通配符。
IAM 策略和 S3 存储桶策略密切相关且重叠很多,但您应将它们视为有时可能需要的更高级别的控制。不幸的是,S3 权限模型非常混乱,并且有多层添加访问控制,来自附加到 IAM 用户或角色的 bucket ACLs and object ACLs (including fully configurable ones and canned ones) to bucket policies and also straight IAM permissions。
大多数情况下,您最好使用 canned ACLs and then use IAM user policies to control who can perform extra actions not allowed by the ACL. There's further explanation of these in the User Guide。
作为我的 Terraform 部署的一部分,我似乎得到了一个格式错误的策略,并且在查看它时没有发现任何问题,所有 Principals
似乎都已到位但没有任何问题看起来与众不同。有人可以找出为什么认为此政策格式不正确吗?
这是抛出的 TF 输出
module.s3-bucket.aws_s3_bucket_policy.bucket_policy: Creating...
bucket: "" => "the_s3_bucket"
policy: "" => "{\n \"Version\":\"2012-10-17\",\n \"Statement\":[{\n \"Principal\": \"*\",\n \"Action\":[\n \"s3:GetBucketLocation\",\n \"s3:ListAllMyBuckets\"\n ],\n \"Resource\":[\n \"arn:aws:s3:::*\"\n ],\n \"Effect\":\"Allow\"\n }, {\n \"Principal\": \"*\",\n \"Action\":[\n \"s3:ListBucket\",\n \"s3:ListBucketMultipartUploads\"\n ],\n \"Resource\":[\n \"arn:aws:s3:::the_s3_bucket\"\n ],\n \"Effect\":\"Allow\"\n }, {\n \"Principal\": \"*\",\n \"Action\":[\n \"s3:GetObject\",\n \"s3:AbortMultipartUpload\",\n \"s3:ListMultipartUploadParts\",\n \"s3:DeleteObject\",\n \"s3:PutObject\",\n \"s3:GetObjectAcl\",\n \"s3:PutObjectAcl\"\n ],\n \"Resource\":[\n \"arn:aws:s3:::the_s3_bucket/*\"\n ],\n \"Effect\":\"Allow\"\n }]\n}\n"
(非详细)错误:
Error applying plan:
1 error(s) occurred:
* module.s3-bucket.aws_s3_bucket_policy.bucket_policy: 1 error(s) occurred:
* aws_s3_bucket_policy.bucket_policy: Error putting S3 policy: MalformedPolicy: Policy has invalid action
status code: 400, request id: DCAEB510D9FE431C, host id: FwZ187PM8RKZljAZGo1578UvsgW3kwtZpaI2Mom46lu7Jr+NV9Jum8txjsfwdJw0jm9ct0awRWk=
这是一份漂亮的印刷品它包含的内容
{
"Version":"2012-10-17",
"Statement":[{
"Principal": "*",
"Action":[
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource":[
"arn:aws:s3:::*"
],
"Effect":"Allow"
}, {
"Principal": "*",
"Action":[
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource":[
"arn:aws:s3:::the_s3_bucket"
],
"Effect":"Allow"
}, {
"Principal": "*",
"Action":[
"s3:GetObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:DeleteObject",
"s3:PutObject",
"s3:GetObjectAcl",
"s3:PutObjectAcl"
],
"Resource":[
"arn:aws:s3:::the_s3_bucket/*"
],
"Effect":"Allow"
}]
}
更新
很明显这与 Principal
字段有关,在通过 AWS 控制台 运行 之后我得到错误
This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies
s3:ListAllMyBuckets
权限不能应用于 S3 存储桶策略,而是 IAM 策略权限。您还必须在存储桶策略中直接指定该策略附加到的存储桶,而不是对存储桶使用 "Resource": ["*"]
或其他一些通配符。
IAM 策略和 S3 存储桶策略密切相关且重叠很多,但您应将它们视为有时可能需要的更高级别的控制。不幸的是,S3 权限模型非常混乱,并且有多层添加访问控制,来自附加到 IAM 用户或角色的 bucket ACLs and object ACLs (including fully configurable ones and canned ones) to bucket policies and also straight IAM permissions。
大多数情况下,您最好使用 canned ACLs and then use IAM user policies to control who can perform extra actions not allowed by the ACL. There's further explanation of these in the User Guide。