为什么我会收到以下错误? "Error putting S3 policy: MalformedPolicy: Policy has invalid action"
Why am I getting an the following error? "Error putting S3 policy: MalformedPolicy: Policy has invalid action"
我正在按照指南 here 允许将日志写入 s3。
"使用以下访问策略使 Kinesis Data Firehose 能够访问您的 S3 存储桶和 AWS KMS 密钥。如果您不拥有 S3 存储桶,请将 s3:PutObjectAcl 添加到 Amazon S3 操作列表中。这会授予存储桶所有者对 Kinesis Data Firehose 交付的对象的完全访问权限。“
{
"Version": "2012-10-17",
"Statement":
[
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
},
{
"Effect": "Allow",
"Action": [
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kinesis:ListShards"
],
"Resource": "arn:aws:kinesis:region:account-id:stream/stream-name"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:region:account-id:key/key-id"
],
"Condition": {
"StringEquals": {
"kms:ViaService": "s3.region.amazonaws.com"
},
"StringLike": {
"kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::bucket-name/prefix*"
}
}
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:region:account-id:log-group:log-group-name:log-stream:log-stream-name"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:GetFunctionConfiguration"
],
"Resource": [
"arn:aws:lambda:region:account-id:function:function-name:function-version"
]
}
]
}
具体来说,我看到错误的块如下(我已经包含了主体,因为这是必需的):
{
"Effect": "Allow",
"Principal": {
"AWS": [
"${account_id}"
]
},
"Action": [
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kinesis:ListShards"
],
"Resource": "arn:aws:kinesis:${region}:${account_id}:stream/*"
},
但是当我尝试将策略应用于 s3 存储桶时,我得到以下信息:
Error: Error putting S3 policy: MalformedPolicy: Policy has invalid action
│状态码:400,请求id:xxxxxxxxxxxxx,主机id:xxxxxxxxxxxxxxxxxxxxxxxxxxxx
│
为什么我会收到这个错误?
链接的 AWS 文档中给出的策略应附加到与 kinesis firehose 关联的 IAM 角色。
S3 存储桶策略是基于资源的策略。在基于资源的策略中,您可以指定仅与该特定资源相关的操作(在本例中为 S3 存储桶)。但是由于您正在尝试将运动数据流操作添加到 S3 存储桶策略,因此您收到“无效操作”错误
这个区块:
{
"Effect": "Allow",
"Action": [
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kinesis:ListShards"
],
"Resource": "arn:aws:kinesis:region:account-id:stream/stream-name"
},
表示要对 Kinesis 数据流执行的操作,而不是 Kinesis 交付流。这是 AWS 文档中的错误。如果您不从数据流中提供传输流,则可以删除此块。
我正在按照指南 here 允许将日志写入 s3。
"使用以下访问策略使 Kinesis Data Firehose 能够访问您的 S3 存储桶和 AWS KMS 密钥。如果您不拥有 S3 存储桶,请将 s3:PutObjectAcl 添加到 Amazon S3 操作列表中。这会授予存储桶所有者对 Kinesis Data Firehose 交付的对象的完全访问权限。“
{
"Version": "2012-10-17",
"Statement":
[
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
},
{
"Effect": "Allow",
"Action": [
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kinesis:ListShards"
],
"Resource": "arn:aws:kinesis:region:account-id:stream/stream-name"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:region:account-id:key/key-id"
],
"Condition": {
"StringEquals": {
"kms:ViaService": "s3.region.amazonaws.com"
},
"StringLike": {
"kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::bucket-name/prefix*"
}
}
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:region:account-id:log-group:log-group-name:log-stream:log-stream-name"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:GetFunctionConfiguration"
],
"Resource": [
"arn:aws:lambda:region:account-id:function:function-name:function-version"
]
}
]
}
具体来说,我看到错误的块如下(我已经包含了主体,因为这是必需的):
{
"Effect": "Allow",
"Principal": {
"AWS": [
"${account_id}"
]
},
"Action": [
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kinesis:ListShards"
],
"Resource": "arn:aws:kinesis:${region}:${account_id}:stream/*"
},
但是当我尝试将策略应用于 s3 存储桶时,我得到以下信息:
Error: Error putting S3 policy: MalformedPolicy: Policy has invalid action
│状态码:400,请求id:xxxxxxxxxxxxx,主机id:xxxxxxxxxxxxxxxxxxxxxxxxxxxx │
为什么我会收到这个错误?
链接的 AWS 文档中给出的策略应附加到与 kinesis firehose 关联的 IAM 角色。
S3 存储桶策略是基于资源的策略。在基于资源的策略中,您可以指定仅与该特定资源相关的操作(在本例中为 S3 存储桶)。但是由于您正在尝试将运动数据流操作添加到 S3 存储桶策略,因此您收到“无效操作”错误
这个区块:
{
"Effect": "Allow",
"Action": [
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kinesis:ListShards"
],
"Resource": "arn:aws:kinesis:region:account-id:stream/stream-name"
},
表示要对 Kinesis 数据流执行的操作,而不是 Kinesis 交付流。这是 AWS 文档中的错误。如果您不从数据流中提供传输流,则可以删除此块。