使用aws cdk创建具有s3权限的aws用户
create aws user with s3 permissions with aws cdk
我正在尝试将此 CF 模板转换为 AWS CDK:
Resources:
S3User:
Type: AWS::IAM::User
Properties:
Policies:
- PolicyName: UserS3Access
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowUserToSeeBucketListInTheConsole
Action:
- s3:ListAllMyBuckets
- s3:GetBucketLocation
Effect: Allow
Resource:
- arn:aws:s3:::*
- Sid: AllowRootAndUploadsBucket
Action:
- s3:ListBucket
Effect: Allow
Resource:
- Fn::Join:
- ''
- - 'arn:aws:s3:::'
- Ref: UploadBucket
Condition:
StringEquals:
s3:prefix:
- ''
- uploads/
s3:delimiter:
- "/"
- Sid: AllowListingOfUploadsFolder
Action:
- s3:ListBucket
Effect: Allow
Resource:
- Fn::Join:
- ''
- - 'arn:aws:s3:::'
- Ref: UploadBucket
Condition:
StringLike:
s3:prefix:
- uploads/*
- Sid: AllowAllS3ActionsInUploadsFolder
Effect: Allow
Action:
- s3:PutObject
- s3:GetObject
- s3:GetObjectVersion
Resource:
- Fn::Join:
- ''
- - 'arn:aws:s3:::'
- Ref: UploadBucket
- "/uploads"
- "/*"
Tags:
- Key: CloudFormationArn
Value: '#{AWS::StackId}'
UserAccessKey:
DependsOn: S3User
Type: AWS::IAM::AccessKey
Properties:
UserName:
Ref: S3User
Outputs:
UserAccessKeyID:
Description: The Access Key for S3 bucket access
Value:
Ref: UserAccessKey
UserAccessKeySecret:
Description: The Access Key Secret for S3 bucket access
Value:
Fn::GetAtt:
- "UserAccessKey"
- "SecretAccessKey"
这是我目前的情况:
import { Construct, Stack, StackProps, CfnOutput } from '@aws-cdk/core';
import { Group, Policy, PolicyStatement, ManagedPolicy, User } from '@aws-cdk/aws-iam';
// import { Bucket } from '@aws-cdk/aws-s3';
const S3AccessGroup = 'S3AccessGroup';
const S3Users = [
'firstname.lastname@domain.tld',
];
export class CdkIamStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
// const bucket = Bucket.fromBucketAttributes(this, 'ImportedBucket', {
// bucketArn: 'arn:aws:s3:::my-bucket'
// });
const AllowUserToSeeBucketListInTheConsole = new PolicyStatement({
resources: ["arn:aws:s3:::*"],
actions: [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
});
const AllowRootAndUploadsBucket = new PolicyStatement({
resources: ['arn:aws:s3:::my-bucket'],
actions: [
"s3:ListBucket"
],
conditions: {'StringEquals': {
's3:prefix': [
'uploads',
],
's3:delimiter': [
'/',
]
}
}
});
const AllowListingOfUploadsFolder = new PolicyStatement({
resources: ['arn:aws:s3:::my-bucket'],
actions: [
"s3:ListBucket"
],
conditions: {'StringEquals': {
's3:prefix': [
'uploads/*',
]
}
}
});
const AllowAllS3ActionsInUploadsFolder = new PolicyStatement({
resources: ['arn:aws:s3:::my-bucket/uploads/*'],
actions: [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
],
});
const UserS3Access = new Policy(this, 'UserS3Access', {
policyName: "UserS3Access",
statements: [
AllowUserToSeeBucketListInTheConsole,
AllowRootAndUploadsBucket,
AllowListingOfUploadsFolder,
AllowAllS3ActionsInUploadsFolder
],
});
const S3Group = new Group(this, S3AccessGroup, { groupName: S3AccessGroup });
S3Group.attachInlinePolicy(UserS3Access);
S3Users.forEach((S3User) => {
const user = new User(this, S3User, {
userName: S3User,
groups: [S3Group]
});
});
// new CfnOutput(this, 'accessKeyId', { value: accessKey.ref });
// new CfnOutput(this, 'secretAccessKey', { value: accessKey.attrSecretAccessKey });
}
}
如何为每个创建的用户输出 accessKeyId
和 secretAccessKey
?
这是使用 AWS CDK 生成用户的正确方法吗?
非常感谢任何建议
创建用户后,还需要创建密钥:
S3Users.forEach((S3User) => {
const user = new User(this, S3User, {
userName: S3User,
groups: [S3Group]
});
const accessKey = new CfnAccessKey(this, `${S3User}AccessKey`, {
userName: user.userName,
});
new CfnOutput(this, `${S3User}AccessKeyId`, { value: accessKey.ref });
new CfnOutput(this, `${S3User}SecretAccessKey`, { value: accessKey.attrSecretAccessKey });
});
我正在尝试将此 CF 模板转换为 AWS CDK:
Resources:
S3User:
Type: AWS::IAM::User
Properties:
Policies:
- PolicyName: UserS3Access
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowUserToSeeBucketListInTheConsole
Action:
- s3:ListAllMyBuckets
- s3:GetBucketLocation
Effect: Allow
Resource:
- arn:aws:s3:::*
- Sid: AllowRootAndUploadsBucket
Action:
- s3:ListBucket
Effect: Allow
Resource:
- Fn::Join:
- ''
- - 'arn:aws:s3:::'
- Ref: UploadBucket
Condition:
StringEquals:
s3:prefix:
- ''
- uploads/
s3:delimiter:
- "/"
- Sid: AllowListingOfUploadsFolder
Action:
- s3:ListBucket
Effect: Allow
Resource:
- Fn::Join:
- ''
- - 'arn:aws:s3:::'
- Ref: UploadBucket
Condition:
StringLike:
s3:prefix:
- uploads/*
- Sid: AllowAllS3ActionsInUploadsFolder
Effect: Allow
Action:
- s3:PutObject
- s3:GetObject
- s3:GetObjectVersion
Resource:
- Fn::Join:
- ''
- - 'arn:aws:s3:::'
- Ref: UploadBucket
- "/uploads"
- "/*"
Tags:
- Key: CloudFormationArn
Value: '#{AWS::StackId}'
UserAccessKey:
DependsOn: S3User
Type: AWS::IAM::AccessKey
Properties:
UserName:
Ref: S3User
Outputs:
UserAccessKeyID:
Description: The Access Key for S3 bucket access
Value:
Ref: UserAccessKey
UserAccessKeySecret:
Description: The Access Key Secret for S3 bucket access
Value:
Fn::GetAtt:
- "UserAccessKey"
- "SecretAccessKey"
这是我目前的情况:
import { Construct, Stack, StackProps, CfnOutput } from '@aws-cdk/core';
import { Group, Policy, PolicyStatement, ManagedPolicy, User } from '@aws-cdk/aws-iam';
// import { Bucket } from '@aws-cdk/aws-s3';
const S3AccessGroup = 'S3AccessGroup';
const S3Users = [
'firstname.lastname@domain.tld',
];
export class CdkIamStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
// const bucket = Bucket.fromBucketAttributes(this, 'ImportedBucket', {
// bucketArn: 'arn:aws:s3:::my-bucket'
// });
const AllowUserToSeeBucketListInTheConsole = new PolicyStatement({
resources: ["arn:aws:s3:::*"],
actions: [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
});
const AllowRootAndUploadsBucket = new PolicyStatement({
resources: ['arn:aws:s3:::my-bucket'],
actions: [
"s3:ListBucket"
],
conditions: {'StringEquals': {
's3:prefix': [
'uploads',
],
's3:delimiter': [
'/',
]
}
}
});
const AllowListingOfUploadsFolder = new PolicyStatement({
resources: ['arn:aws:s3:::my-bucket'],
actions: [
"s3:ListBucket"
],
conditions: {'StringEquals': {
's3:prefix': [
'uploads/*',
]
}
}
});
const AllowAllS3ActionsInUploadsFolder = new PolicyStatement({
resources: ['arn:aws:s3:::my-bucket/uploads/*'],
actions: [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
],
});
const UserS3Access = new Policy(this, 'UserS3Access', {
policyName: "UserS3Access",
statements: [
AllowUserToSeeBucketListInTheConsole,
AllowRootAndUploadsBucket,
AllowListingOfUploadsFolder,
AllowAllS3ActionsInUploadsFolder
],
});
const S3Group = new Group(this, S3AccessGroup, { groupName: S3AccessGroup });
S3Group.attachInlinePolicy(UserS3Access);
S3Users.forEach((S3User) => {
const user = new User(this, S3User, {
userName: S3User,
groups: [S3Group]
});
});
// new CfnOutput(this, 'accessKeyId', { value: accessKey.ref });
// new CfnOutput(this, 'secretAccessKey', { value: accessKey.attrSecretAccessKey });
}
}
如何为每个创建的用户输出 accessKeyId
和 secretAccessKey
?
这是使用 AWS CDK 生成用户的正确方法吗?
非常感谢任何建议
创建用户后,还需要创建密钥:
S3Users.forEach((S3User) => {
const user = new User(this, S3User, {
userName: S3User,
groups: [S3Group]
});
const accessKey = new CfnAccessKey(this, `${S3User}AccessKey`, {
userName: user.userName,
});
new CfnOutput(this, `${S3User}AccessKeyId`, { value: accessKey.ref });
new CfnOutput(this, `${S3User}SecretAccessKey`, { value: accessKey.attrSecretAccessKey });
});