为什么我会收到以下错误? "Error putting S3 policy: MalformedPolicy: Policy has invalid action"

Why am I getting an the following error? "Error putting S3 policy: MalformedPolicy: Policy has invalid action"

我正在按照指南 here 允许将日志写入 s3。

"使用以下访问策略使 Kinesis Data Firehose 能够访问您的 S3 存储桶和 AWS KMS 密钥。如果您不拥有 S3 存储桶,请将 s3:PutObjectAcl 添加到 Amazon S3 操作列表中。这会授予存储桶所有者对 Kinesis Data Firehose 交付的对象的完全访问权限。“

{
"Version": "2012-10-17",  
"Statement":
[    
    {      
        "Effect": "Allow",      
        "Action": [
            "s3:AbortMultipartUpload",
            "s3:GetBucketLocation",
            "s3:GetObject",
            "s3:ListBucket",
            "s3:ListBucketMultipartUploads",
            "s3:PutObject"
        ],      
        "Resource": [        
            "arn:aws:s3:::bucket-name",
            "arn:aws:s3:::bucket-name/*"            
        ]    
    },        
    {
        "Effect": "Allow",
        "Action": [
            "kinesis:DescribeStream",
            "kinesis:GetShardIterator",
            "kinesis:GetRecords",
            "kinesis:ListShards"
        ],
        "Resource": "arn:aws:kinesis:region:account-id:stream/stream-name"
    },
    {
       "Effect": "Allow",
       "Action": [
           "kms:Decrypt",
           "kms:GenerateDataKey"
       ],
       "Resource": [
           "arn:aws:kms:region:account-id:key/key-id"           
       ],
       "Condition": {
           "StringEquals": {
               "kms:ViaService": "s3.region.amazonaws.com"
           },
           "StringLike": {
               "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::bucket-name/prefix*"
           }
       }
    },
    {
       "Effect": "Allow",
       "Action": [
           "logs:PutLogEvents"
       ],
       "Resource": [
           "arn:aws:logs:region:account-id:log-group:log-group-name:log-stream:log-stream-name"
       ]
    },
    {
       "Effect": "Allow", 
       "Action": [
           "lambda:InvokeFunction", 
           "lambda:GetFunctionConfiguration" 
       ],
       "Resource": [
           "arn:aws:lambda:region:account-id:function:function-name:function-version"
       ]
    }
]

}

具体来说,我看到错误的块如下(我已经包含了主体,因为这是必需的):

    {
        "Effect": "Allow",
        "Principal": {
            "AWS": [
                "${account_id}"
            ]
        },
        "Action": [
            "kinesis:DescribeStream",
            "kinesis:GetShardIterator",
            "kinesis:GetRecords",
            "kinesis:ListShards"
        ],
        "Resource": "arn:aws:kinesis:${region}:${account_id}:stream/*"
    },

但是当我尝试将策略应用于 s3 存储桶时,我得到以下信息:

Error: Error putting S3 policy: MalformedPolicy: Policy has invalid action

│状态码:400,请求id:xxxxxxxxxxxxx,主机id:xxxxxxxxxxxxxxxxxxxxxxxxxxxx │

为什么我会收到这个错误?

链接的 AWS 文档中给出的策略应附加到与 kinesis firehose 关联的 IAM 角色。

S3 存储桶策略是基于资源的策略。在基于资源的策略中,您可以指定仅与该特定资源相关的操作(在本例中为 S3 存储桶)。但是由于您正在尝试将运动数据流操作添加到 S3 存储桶策略,因此您收到“无效操作”错误

这个区块:

{
    "Effect": "Allow",
    "Action": [
        "kinesis:DescribeStream",
        "kinesis:GetShardIterator",
        "kinesis:GetRecords",
        "kinesis:ListShards"
    ],
    "Resource": "arn:aws:kinesis:region:account-id:stream/stream-name"
},

表示要对 Kinesis 数据流执行的操作,而不是 Kinesis 交付流。这是 AWS 文档中的错误。如果您不从数据流中提供传输流,则可以删除此块。