从专用用户访问 S3 存储桶(策略失败?)
Accessing S3 bucket from a dedicated user ( policy failure ? )
我正在尝试使用 terraform 为 upload/download 创建一个带有专用用户的 S3 存储桶。
由于某种原因,正在创建的用户无法访问存储桶:
$ aws iam list-attached-user-policies --user-name csgoserver
{
"AttachedPolicies": [
{
"PolicyName": "AllowUsercsgoserverAccessTocsgofiles",
"PolicyArn": "arn:aws:iam::370179080679:policy/AllowUsercsgoserverAccessTocsgofiles"
}
]
}
$ aws s3 cp bucket.tf s3://csgofiles --profile test
upload failed: .\bucket.tf to s3://csgofiles/bucket.tf An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
$ aws iam get-user-policy --user-name csgoserver --policy-name AllowUsercsgoserverAccessTocsgofiles
An error occurred (NoSuchEntity) when calling the GetUserPolicy operation: The user policy with name AllowUsercsgoserverAccessTocsgofiles cannot be found.
user.tf:
resource "aws_iam_user" "s3user" {
name = var.user_name
force_destroy = true
}
data "aws_iam_policy_document" "default" {
statement {
sid = "AllowUser${var.user_name}AccessTo${var.bucket_name}"
actions = ["s3:*"]
resources = ["arn:aws:s3:::${var.bucket_name}"]
effect = "Allow"
}
}
resource "aws_iam_user_policy" "s3user_policy" {
name = aws_iam_user.s3user.name
user = aws_iam_user.s3user.name
policy = join("", data.aws_iam_policy_document.default.*.json)
}
resource "aws_iam_access_key" "s3user_ak" {
user = aws_iam_user.s3user.name
}
还有一件事我不明白。 aws iam get-policy 不适用于该策略:
$ aws iam list-policies --max-items 2
{
"Policies": [
{
"PolicyName": "AllowUsercsgoserverAccessTocsgofiles",
"PolicyId": "ANPAVMMDEQHTRE4NG3N2E",
"Arn": "arn:aws:iam::370179080679:policy/AllowUsercsgoserverAccessTocsgofiles",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2021-11-26T22:17:52+00:00",
"UpdateDate": "2021-11-26T22:17:52+00:00"
},
{
"PolicyName": "eks-full-access-policy",
"PolicyId": "ANPAVMMDEQHTR4C65WFT6",
"Arn": "arn:aws:iam::370179080679:policy/eks-full-access-policy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2021-03-30T09:57:04+00:00",
"UpdateDate": "2021-03-30T09:57:04+00:00"
}
],
"NextToken": "eyJNYXJrZXIiOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiAyfQ=="
}
$ aws iam get-policy --policy-arn arn:aws:iam::370179080679:policy/AllowUsercsgoserverAccessTocsgofile
An error occurred (NoSuchEntity) when calling the GetPolicy operation: Policy arn:aws:iam::370179080679:policy/AllowUsercsgoserverAccessTocsgofile was not found.
$ aws iam get-policy --policy-arn arn:aws:iam::370179080679:policy/eks-full-access-policy
{
"Policy": {
"PolicyName": "eks-full-access-policy",
"PolicyId": "ANPAVMMDEQHTR4C65WFT6",
"Arn": "arn:aws:iam::370179080679:policy/eks-full-access-policy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2021-03-30T09:57:04+00:00",
"UpdateDate": "2021-03-30T09:57:04+00:00"
}
}
我认为您的 IAM 政策无效。
您可以使用类似于以下内容的内容:
{
"Id": "Policy1638106306386",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1638106302079",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::examplebucket",
"Principal": {
"AWS": [
"370179080679"
]
}
}
]
}
我还建议将政策内嵌在您的 aws_iam_user_policy 资源中,而不是使用数据源。
查看文档,似乎政策是 aws_iam_user_policy 资源中的必填字段。
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy
可能像下面这样:
resource "aws_iam_user_policy" "s3user_policy" {
name = aws_iam_user.s3user.name
user = aws_iam_user.s3user.name
policy = jsonencode ({
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1638106302079",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::examplebucket/*",
}
]
})
我在最后的 Resource 键中遗漏了两个字符 /* ...
data "aws_iam_policy_document" "default" {
statement {
sid = "AllowUser${var.user_name}AccessTo${var.bucket_name}"
actions = ["s3:*"]
resources = ["arn:aws:s3:::${var.bucket_name}/*"]
effect = "Allow"
}
}
我正在尝试使用 terraform 为 upload/download 创建一个带有专用用户的 S3 存储桶。
由于某种原因,正在创建的用户无法访问存储桶:
$ aws iam list-attached-user-policies --user-name csgoserver
{
"AttachedPolicies": [
{
"PolicyName": "AllowUsercsgoserverAccessTocsgofiles",
"PolicyArn": "arn:aws:iam::370179080679:policy/AllowUsercsgoserverAccessTocsgofiles"
}
]
}
$ aws s3 cp bucket.tf s3://csgofiles --profile test
upload failed: .\bucket.tf to s3://csgofiles/bucket.tf An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
$ aws iam get-user-policy --user-name csgoserver --policy-name AllowUsercsgoserverAccessTocsgofiles
An error occurred (NoSuchEntity) when calling the GetUserPolicy operation: The user policy with name AllowUsercsgoserverAccessTocsgofiles cannot be found.
user.tf:
resource "aws_iam_user" "s3user" {
name = var.user_name
force_destroy = true
}
data "aws_iam_policy_document" "default" {
statement {
sid = "AllowUser${var.user_name}AccessTo${var.bucket_name}"
actions = ["s3:*"]
resources = ["arn:aws:s3:::${var.bucket_name}"]
effect = "Allow"
}
}
resource "aws_iam_user_policy" "s3user_policy" {
name = aws_iam_user.s3user.name
user = aws_iam_user.s3user.name
policy = join("", data.aws_iam_policy_document.default.*.json)
}
resource "aws_iam_access_key" "s3user_ak" {
user = aws_iam_user.s3user.name
}
还有一件事我不明白。 aws iam get-policy 不适用于该策略:
$ aws iam list-policies --max-items 2
{
"Policies": [
{
"PolicyName": "AllowUsercsgoserverAccessTocsgofiles",
"PolicyId": "ANPAVMMDEQHTRE4NG3N2E",
"Arn": "arn:aws:iam::370179080679:policy/AllowUsercsgoserverAccessTocsgofiles",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2021-11-26T22:17:52+00:00",
"UpdateDate": "2021-11-26T22:17:52+00:00"
},
{
"PolicyName": "eks-full-access-policy",
"PolicyId": "ANPAVMMDEQHTR4C65WFT6",
"Arn": "arn:aws:iam::370179080679:policy/eks-full-access-policy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2021-03-30T09:57:04+00:00",
"UpdateDate": "2021-03-30T09:57:04+00:00"
}
],
"NextToken": "eyJNYXJrZXIiOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiAyfQ=="
}
$ aws iam get-policy --policy-arn arn:aws:iam::370179080679:policy/AllowUsercsgoserverAccessTocsgofile
An error occurred (NoSuchEntity) when calling the GetPolicy operation: Policy arn:aws:iam::370179080679:policy/AllowUsercsgoserverAccessTocsgofile was not found.
$ aws iam get-policy --policy-arn arn:aws:iam::370179080679:policy/eks-full-access-policy
{
"Policy": {
"PolicyName": "eks-full-access-policy",
"PolicyId": "ANPAVMMDEQHTR4C65WFT6",
"Arn": "arn:aws:iam::370179080679:policy/eks-full-access-policy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2021-03-30T09:57:04+00:00",
"UpdateDate": "2021-03-30T09:57:04+00:00"
}
}
我认为您的 IAM 政策无效。 您可以使用类似于以下内容的内容:
{
"Id": "Policy1638106306386",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1638106302079",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::examplebucket",
"Principal": {
"AWS": [
"370179080679"
]
}
}
]
}
我还建议将政策内嵌在您的 aws_iam_user_policy 资源中,而不是使用数据源。
查看文档,似乎政策是 aws_iam_user_policy 资源中的必填字段。
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy
可能像下面这样:
resource "aws_iam_user_policy" "s3user_policy" {
name = aws_iam_user.s3user.name
user = aws_iam_user.s3user.name
policy = jsonencode ({
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1638106302079",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::examplebucket/*",
}
]
})
我在最后的 Resource 键中遗漏了两个字符 /* ...
data "aws_iam_policy_document" "default" {
statement {
sid = "AllowUser${var.user_name}AccessTo${var.bucket_name}"
actions = ["s3:*"]
resources = ["arn:aws:s3:::${var.bucket_name}/*"]
effect = "Allow"
}
}