使用aws cdk创建具有s3权限的aws用户

create aws user with s3 permissions with aws cdk

我正在尝试将此 CF 模板转换为 AWS CDK:

Resources:
  S3User:
    Type: AWS::IAM::User
    Properties:
      Policies:
      - PolicyName: UserS3Access
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Sid: AllowUserToSeeBucketListInTheConsole
            Action:
            - s3:ListAllMyBuckets
            - s3:GetBucketLocation
            Effect: Allow
            Resource:
            - arn:aws:s3:::*
          - Sid: AllowRootAndUploadsBucket
            Action:
            - s3:ListBucket
            Effect: Allow
            Resource:
            - Fn::Join:
              - ''
              - - 'arn:aws:s3:::'
                - Ref: UploadBucket
            Condition:
              StringEquals:
                s3:prefix:
                - ''
                - uploads/
                s3:delimiter:
                - "/"
          - Sid: AllowListingOfUploadsFolder
            Action:
            - s3:ListBucket
            Effect: Allow
            Resource:
            - Fn::Join:
              - ''
              - - 'arn:aws:s3:::'
                - Ref: UploadBucket
            Condition:
              StringLike:
                s3:prefix:
                - uploads/*
          - Sid: AllowAllS3ActionsInUploadsFolder
            Effect: Allow
            Action:
            - s3:PutObject
            - s3:GetObject
            - s3:GetObjectVersion
            Resource:
            - Fn::Join:
              - ''
              - - 'arn:aws:s3:::'
                - Ref: UploadBucket
                - "/uploads"
                - "/*"
      Tags:
        - Key: CloudFormationArn
          Value: '#{AWS::StackId}'
  UserAccessKey:
    DependsOn: S3User
    Type: AWS::IAM::AccessKey
    Properties:
      UserName:
        Ref: S3User

Outputs:
  UserAccessKeyID:
    Description: The Access Key for S3 bucket access
    Value:
      Ref: UserAccessKey
  UserAccessKeySecret:
    Description: The Access Key Secret for S3 bucket access
    Value:
      Fn::GetAtt:
        - "UserAccessKey"
        - "SecretAccessKey"

这是我目前的情况:

import { Construct, Stack, StackProps, CfnOutput }  from '@aws-cdk/core';
import { Group, Policy, PolicyStatement, ManagedPolicy, User } from '@aws-cdk/aws-iam';
// import { Bucket } from '@aws-cdk/aws-s3';

const S3AccessGroup = 'S3AccessGroup';
const S3Users = [
  'firstname.lastname@domain.tld',
];

export class CdkIamStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
    // const bucket = Bucket.fromBucketAttributes(this, 'ImportedBucket', {
    //   bucketArn: 'arn:aws:s3:::my-bucket'
    // });

    const AllowUserToSeeBucketListInTheConsole = new PolicyStatement({
      resources: ["arn:aws:s3:::*"],
      actions: [
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation"
        ],
    });
    const AllowRootAndUploadsBucket = new PolicyStatement({
      resources: ['arn:aws:s3:::my-bucket'],
      actions: [
        "s3:ListBucket"
        ],
      conditions: {'StringEquals': {
        's3:prefix': [
          'uploads',
          ],
        's3:delimiter': [
          '/',
          ]
        }
      }
    });
    const AllowListingOfUploadsFolder = new PolicyStatement({
      resources: ['arn:aws:s3:::my-bucket'],
      actions: [
        "s3:ListBucket"
        ],
      conditions: {'StringEquals': {
        's3:prefix': [
          'uploads/*',
          ]
        }
      }
    });
    const AllowAllS3ActionsInUploadsFolder = new PolicyStatement({
      resources: ['arn:aws:s3:::my-bucket/uploads/*'],
      actions: [
        "s3:PutObject",
        "s3:GetObject",
        "s3:GetObjectVersion"
        ],
    });

    const UserS3Access = new Policy(this, 'UserS3Access', { 
      policyName: "UserS3Access",
      statements: [
        AllowUserToSeeBucketListInTheConsole,
        AllowRootAndUploadsBucket,
        AllowListingOfUploadsFolder,
        AllowAllS3ActionsInUploadsFolder
      ],
    });

    const S3Group = new Group(this, S3AccessGroup, { groupName: S3AccessGroup });
    S3Group.attachInlinePolicy(UserS3Access);


    S3Users.forEach((S3User) => {
      const user = new User(this, S3User, {
        userName: S3User,
        groups: [S3Group]
      });
    });
    // new CfnOutput(this, 'accessKeyId', { value: accessKey.ref });
    // new CfnOutput(this, 'secretAccessKey', { value: accessKey.attrSecretAccessKey });
  }
}

如何为每个创建的用户输出 accessKeyIdsecretAccessKey

这是使用 AWS CDK 生成用户的正确方法吗?

非常感谢任何建议

创建用户后,还需要创建密钥:

    S3Users.forEach((S3User) => {
      const user = new User(this, S3User, {
        userName: S3User,
        groups: [S3Group]
      });
      const accessKey = new CfnAccessKey(this, `${S3User}AccessKey`, {
        userName: user.userName,
      });
      new CfnOutput(this, `${S3User}AccessKeyId`, { value: accessKey.ref });
      new CfnOutput(this, `${S3User}SecretAccessKey`, { value: accessKey.attrSecretAccessKey });
    });