尝试授予对 S3 存储桶的云端访问权限,但得到 "Policy has invalid action"

Trying to grant cloudfront access to S3 bucket, but get "Policy has invalid action"

我正在尝试授予对存储我的网站的 S3 存储桶的云端访问权限。

这是我正在关注的代码:https://github.com/JoshM1994/cdk-static-website/blob/main/packages/infrastructure/lib/cdk-static-website-stack.ts

这是我的代码:

// Amazon S3 bucket to store  website
const websiteBucket = new S3.Bucket(this, "eCommerceWebsite", {
  bucketName: `${props.websiteDomain}-${props.env.account}-${props.env.region}`,
  websiteIndexDocument: "index.html",
  websiteErrorDocument: "error.html",
  removalPolicy: CDK.RemovalPolicy.DESTROY,
  // autoDeleteObjects: true,

  accessControl: S3.BucketAccessControl.PRIVATE,
  encryption: S3.BucketEncryption.S3_MANAGED,
  publicReadAccess: false,
  blockPublicAccess: S3.BlockPublicAccess.BLOCK_ALL,
});

const hostedZone = Route53.HostedZone.fromLookup(this, "HostedZoneId", {
  domainName: props.websiteDomain,
});

const certificateManagerCertificate = new ACM.Certificate(
  this,
  "CertificateManagerCertificate",
  {
    domainName: props.websiteDomain,
    validation: ACM.CertificateValidation.fromDns(hostedZone),
  }
);

// Create a special CloudFront user called an origin access identity (OAI)
// and associate it with the CloudFront distribution.

const cloudFrontOAI = new CloudFront.OriginAccessIdentity(
  this,
  "eCommerceWebsiteOriginAccessIdentityID"
);

const cloudfrontUserAccessPolicy = new IAM.PolicyStatement();
cloudfrontUserAccessPolicy.addActions("s3:GetBucket");
cloudfrontUserAccessPolicy.addPrincipals(cloudFrontOAI.grantPrincipal);
cloudfrontUserAccessPolicy.addResources(websiteBucket.arnForObjects("*"));
websiteBucket.addToResourcePolicy(cloudfrontUserAccessPolicy);

//websiteBucket.grantRead(cloudFrontOAI.grantPrincipal);

const cloudFrontDistribution = new CloudFront.Distribution(
  this,
  "CloudFrontDistribution",
  {
    domainNames: [props.websiteDomain],
    defaultBehavior: {
      origin: new CloudFrontOrigins.S3Origin(websiteBucket, {
        // CloudFront can use the OAI to access the files in the S3 bucket and serve them to users.
        // Users can’t use a direct URL to the S3 bucket to access a file there.
        originAccessIdentity: cloudFrontOAI,
      }),
      compress: true,
      allowedMethods: CloudFront.AllowedMethods.ALLOW_GET_HEAD,
      cachedMethods: CloudFront.CachedMethods.CACHE_GET_HEAD,
      viewerProtocolPolicy: CloudFront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
      cachePolicy: CloudFront.CachePolicy.CACHING_OPTIMIZED,
    },
    errorResponses: [
      {
        httpStatus: 403,
        responsePagePath: "/index.html",
        responseHttpStatus: 200,
        ttl: CDK.Duration.minutes(0),
      },
      {
        httpStatus: 404,
        responsePagePath: "/index.html",
        responseHttpStatus: 200,
        ttl: CDK.Duration.minutes(0),
      },
    ],
    priceClass: CloudFront.PriceClass.PRICE_CLASS_ALL,
    enabled: true,
    certificate: certificateManagerCertificate,
    minimumProtocolVersion: CloudFront.SecurityPolicyProtocol.TLS_V1_2_2021,
    httpVersion: CloudFront.HttpVersion.HTTP2,
    defaultRootObject: "index.html",
    enableIpv6: true,
  }
);

但是,我在尝试使用 CDK 进行部署时遇到错误。错误是:

The following resource(s) failed to update: [eCommerceWebsitePolicy92E398F1].

Policy has invalid action (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy; Request ID: PHX7S4KTFBYQS57H; S3 Extended Request ID: fAXj+BqXjzDtyO3nqcJ+G9ZILWMrftZYRocZ/q1othOw7xdG7J1pTN5MU2rNJi978+sbQInZzN8=; Proxy: null)

这是生成的cloudformation:

"eCommerceWebsitePolicy92E398F1": {
   "Type": "AWS::S3::BucketPolicy",
   "Properties": {
    "Bucket": {
     "Ref": "eCommerceWebsite1384DBEE"
    },
    "PolicyDocument": {
     "Statement": [
      {
       "Action": "s3:GetBucket",
       "Effect": "Allow",
       "Principal": {
        "CanonicalUser": {
         "Fn::GetAtt": [
          "eCommerceWebsiteOriginAccessIdentityIDF6581C41",
          "S3CanonicalUserId"
         ]
        }
       },
       "Resource": {
        "Fn::Join": [
         "",
         [
          {
           "Fn::GetAtt": [
            "eCommerceWebsite1384DBEE",
            "Arn"
           ]
          },
          "/*"
         ]
        ]
       }
      }
     ],
     "Version": "2012-10-17"
    }
   },

这里出了什么问题?

没有名为 s3:GetBucket 的操作。可能你想要 s3:GetObjects3:ListBucket.