Aurora PostgreSQL 访问 s3 的权限
Aurora PostgreSQL permissions to access s3
我正在尝试授予我的 Aurora PostgreSQL 访问 s3 存储桶的权限。我正在使用无服务器框架并具有以下代码。
RDSCluster:
Type: 'AWS::RDS::DBCluster'
Properties:
MasterUsername: AuserName
MasterUserPassword: Apassword
DBSubnetGroupName:
Ref: RDSClusterGroup
AvailabilityZones:
- eu-central-1a
- eu-central-1b
Engine: aurora-postgresql
EngineVersion: 11.9
EngineMode: provisioned
EnableHttpEndpoint: true
DatabaseName: initialbase
DBClusterParameterGroupName:
Ref: RDSDBParameterGroup
AssociatedRoles:
- RoleArn:
{ Fn::GetAtt: [ AuroraPolicy, Arn ] }
VpcSecurityGroupIds:
- Ref: RdsSecurityGroup
AuroraPolicy:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- rds.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
Policies:
- PolicyName: AuroraRolePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:AbortMultipartUpload
- s3:GetBucketLocation
- s3:GetObject
- s3:ListBucket
- s3:ListBucketMultipartUploads
- s3:PutObject
Resource:
- { Fn::GetAtt: [ S3BucketEgresbucket, Arn ] }
- Fn::Join:
- ""
- - { Fn::GetAtt: [ S3BucketEgresbucket, Arn ] }
- "/*"
这应该授予数据库使用 SELECT aws_commons.create_s3_ur
执行查询的权限
然而,当我尝试部署时,我收到错误消息:
必须为 Aurora (PostgreSQL) 引擎的当前操作提供功能名称参数。
问题来自 AssociatedRoles 对象,cloudformation 声明不需要 FeatureName 字段,但是如果您希望集群访问其他 AWS 服务,则需要该字段。在这种情况下,因为我想让我的集群访问一个 s3 存储桶,所以我必须更改我的 AssociatedRoles 对象,因此它看起来像这样:
AssociatedRoles:
- RoleArn: { Fn::GetAtt: [ roleServiceIntegration, Arn ] }
FeatureName: s3Import
我正在尝试授予我的 Aurora PostgreSQL 访问 s3 存储桶的权限。我正在使用无服务器框架并具有以下代码。
RDSCluster:
Type: 'AWS::RDS::DBCluster'
Properties:
MasterUsername: AuserName
MasterUserPassword: Apassword
DBSubnetGroupName:
Ref: RDSClusterGroup
AvailabilityZones:
- eu-central-1a
- eu-central-1b
Engine: aurora-postgresql
EngineVersion: 11.9
EngineMode: provisioned
EnableHttpEndpoint: true
DatabaseName: initialbase
DBClusterParameterGroupName:
Ref: RDSDBParameterGroup
AssociatedRoles:
- RoleArn:
{ Fn::GetAtt: [ AuroraPolicy, Arn ] }
VpcSecurityGroupIds:
- Ref: RdsSecurityGroup
AuroraPolicy:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- rds.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
Policies:
- PolicyName: AuroraRolePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:AbortMultipartUpload
- s3:GetBucketLocation
- s3:GetObject
- s3:ListBucket
- s3:ListBucketMultipartUploads
- s3:PutObject
Resource:
- { Fn::GetAtt: [ S3BucketEgresbucket, Arn ] }
- Fn::Join:
- ""
- - { Fn::GetAtt: [ S3BucketEgresbucket, Arn ] }
- "/*"
这应该授予数据库使用 SELECT aws_commons.create_s3_ur
然而,当我尝试部署时,我收到错误消息:
必须为 Aurora (PostgreSQL) 引擎的当前操作提供功能名称参数。
问题来自 AssociatedRoles 对象,cloudformation 声明不需要 FeatureName 字段,但是如果您希望集群访问其他 AWS 服务,则需要该字段。在这种情况下,因为我想让我的集群访问一个 s3 存储桶,所以我必须更改我的 AssociatedRoles 对象,因此它看起来像这样:
AssociatedRoles:
- RoleArn: { Fn::GetAtt: [ roleServiceIntegration, Arn ] }
FeatureName: s3Import