尝试授予对 S3 存储桶的云端访问权限,但得到 "Policy has invalid action"
Trying to grant cloudfront access to S3 bucket, but get "Policy has invalid action"
我正在尝试授予对存储我的网站的 S3 存储桶的云端访问权限。
这是我的代码:
// Amazon S3 bucket to store website
const websiteBucket = new S3.Bucket(this, "eCommerceWebsite", {
bucketName: `${props.websiteDomain}-${props.env.account}-${props.env.region}`,
websiteIndexDocument: "index.html",
websiteErrorDocument: "error.html",
removalPolicy: CDK.RemovalPolicy.DESTROY,
// autoDeleteObjects: true,
accessControl: S3.BucketAccessControl.PRIVATE,
encryption: S3.BucketEncryption.S3_MANAGED,
publicReadAccess: false,
blockPublicAccess: S3.BlockPublicAccess.BLOCK_ALL,
});
const hostedZone = Route53.HostedZone.fromLookup(this, "HostedZoneId", {
domainName: props.websiteDomain,
});
const certificateManagerCertificate = new ACM.Certificate(
this,
"CertificateManagerCertificate",
{
domainName: props.websiteDomain,
validation: ACM.CertificateValidation.fromDns(hostedZone),
}
);
// Create a special CloudFront user called an origin access identity (OAI)
// and associate it with the CloudFront distribution.
const cloudFrontOAI = new CloudFront.OriginAccessIdentity(
this,
"eCommerceWebsiteOriginAccessIdentityID"
);
const cloudfrontUserAccessPolicy = new IAM.PolicyStatement();
cloudfrontUserAccessPolicy.addActions("s3:GetBucket");
cloudfrontUserAccessPolicy.addPrincipals(cloudFrontOAI.grantPrincipal);
cloudfrontUserAccessPolicy.addResources(websiteBucket.arnForObjects("*"));
websiteBucket.addToResourcePolicy(cloudfrontUserAccessPolicy);
//websiteBucket.grantRead(cloudFrontOAI.grantPrincipal);
const cloudFrontDistribution = new CloudFront.Distribution(
this,
"CloudFrontDistribution",
{
domainNames: [props.websiteDomain],
defaultBehavior: {
origin: new CloudFrontOrigins.S3Origin(websiteBucket, {
// CloudFront can use the OAI to access the files in the S3 bucket and serve them to users.
// Users can’t use a direct URL to the S3 bucket to access a file there.
originAccessIdentity: cloudFrontOAI,
}),
compress: true,
allowedMethods: CloudFront.AllowedMethods.ALLOW_GET_HEAD,
cachedMethods: CloudFront.CachedMethods.CACHE_GET_HEAD,
viewerProtocolPolicy: CloudFront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
cachePolicy: CloudFront.CachePolicy.CACHING_OPTIMIZED,
},
errorResponses: [
{
httpStatus: 403,
responsePagePath: "/index.html",
responseHttpStatus: 200,
ttl: CDK.Duration.minutes(0),
},
{
httpStatus: 404,
responsePagePath: "/index.html",
responseHttpStatus: 200,
ttl: CDK.Duration.minutes(0),
},
],
priceClass: CloudFront.PriceClass.PRICE_CLASS_ALL,
enabled: true,
certificate: certificateManagerCertificate,
minimumProtocolVersion: CloudFront.SecurityPolicyProtocol.TLS_V1_2_2021,
httpVersion: CloudFront.HttpVersion.HTTP2,
defaultRootObject: "index.html",
enableIpv6: true,
}
);
但是,我在尝试使用 CDK 进行部署时遇到错误。错误是:
The following resource(s) failed to update: [eCommerceWebsitePolicy92E398F1].
Policy has invalid action (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy; Request ID: PHX7S4KTFBYQS57H; S3 Extended Request ID: fAXj+BqXjzDtyO3nqcJ+G9ZILWMrftZYRocZ/q1othOw7xdG7J1pTN5MU2rNJi978+sbQInZzN8=; Proxy: null)
这是生成的cloudformation:
"eCommerceWebsitePolicy92E398F1": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "eCommerceWebsite1384DBEE"
},
"PolicyDocument": {
"Statement": [
{
"Action": "s3:GetBucket",
"Effect": "Allow",
"Principal": {
"CanonicalUser": {
"Fn::GetAtt": [
"eCommerceWebsiteOriginAccessIdentityIDF6581C41",
"S3CanonicalUserId"
]
}
},
"Resource": {
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"eCommerceWebsite1384DBEE",
"Arn"
]
},
"/*"
]
]
}
}
],
"Version": "2012-10-17"
}
},
这里出了什么问题?
没有名为 s3:GetBucket
的操作。可能你想要 s3:GetObject
或 s3:ListBucket
.
我正在尝试授予对存储我的网站的 S3 存储桶的云端访问权限。
这是我的代码:
// Amazon S3 bucket to store website
const websiteBucket = new S3.Bucket(this, "eCommerceWebsite", {
bucketName: `${props.websiteDomain}-${props.env.account}-${props.env.region}`,
websiteIndexDocument: "index.html",
websiteErrorDocument: "error.html",
removalPolicy: CDK.RemovalPolicy.DESTROY,
// autoDeleteObjects: true,
accessControl: S3.BucketAccessControl.PRIVATE,
encryption: S3.BucketEncryption.S3_MANAGED,
publicReadAccess: false,
blockPublicAccess: S3.BlockPublicAccess.BLOCK_ALL,
});
const hostedZone = Route53.HostedZone.fromLookup(this, "HostedZoneId", {
domainName: props.websiteDomain,
});
const certificateManagerCertificate = new ACM.Certificate(
this,
"CertificateManagerCertificate",
{
domainName: props.websiteDomain,
validation: ACM.CertificateValidation.fromDns(hostedZone),
}
);
// Create a special CloudFront user called an origin access identity (OAI)
// and associate it with the CloudFront distribution.
const cloudFrontOAI = new CloudFront.OriginAccessIdentity(
this,
"eCommerceWebsiteOriginAccessIdentityID"
);
const cloudfrontUserAccessPolicy = new IAM.PolicyStatement();
cloudfrontUserAccessPolicy.addActions("s3:GetBucket");
cloudfrontUserAccessPolicy.addPrincipals(cloudFrontOAI.grantPrincipal);
cloudfrontUserAccessPolicy.addResources(websiteBucket.arnForObjects("*"));
websiteBucket.addToResourcePolicy(cloudfrontUserAccessPolicy);
//websiteBucket.grantRead(cloudFrontOAI.grantPrincipal);
const cloudFrontDistribution = new CloudFront.Distribution(
this,
"CloudFrontDistribution",
{
domainNames: [props.websiteDomain],
defaultBehavior: {
origin: new CloudFrontOrigins.S3Origin(websiteBucket, {
// CloudFront can use the OAI to access the files in the S3 bucket and serve them to users.
// Users can’t use a direct URL to the S3 bucket to access a file there.
originAccessIdentity: cloudFrontOAI,
}),
compress: true,
allowedMethods: CloudFront.AllowedMethods.ALLOW_GET_HEAD,
cachedMethods: CloudFront.CachedMethods.CACHE_GET_HEAD,
viewerProtocolPolicy: CloudFront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
cachePolicy: CloudFront.CachePolicy.CACHING_OPTIMIZED,
},
errorResponses: [
{
httpStatus: 403,
responsePagePath: "/index.html",
responseHttpStatus: 200,
ttl: CDK.Duration.minutes(0),
},
{
httpStatus: 404,
responsePagePath: "/index.html",
responseHttpStatus: 200,
ttl: CDK.Duration.minutes(0),
},
],
priceClass: CloudFront.PriceClass.PRICE_CLASS_ALL,
enabled: true,
certificate: certificateManagerCertificate,
minimumProtocolVersion: CloudFront.SecurityPolicyProtocol.TLS_V1_2_2021,
httpVersion: CloudFront.HttpVersion.HTTP2,
defaultRootObject: "index.html",
enableIpv6: true,
}
);
但是,我在尝试使用 CDK 进行部署时遇到错误。错误是:
The following resource(s) failed to update: [eCommerceWebsitePolicy92E398F1].
Policy has invalid action (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy; Request ID: PHX7S4KTFBYQS57H; S3 Extended Request ID: fAXj+BqXjzDtyO3nqcJ+G9ZILWMrftZYRocZ/q1othOw7xdG7J1pTN5MU2rNJi978+sbQInZzN8=; Proxy: null)
这是生成的cloudformation:
"eCommerceWebsitePolicy92E398F1": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "eCommerceWebsite1384DBEE"
},
"PolicyDocument": {
"Statement": [
{
"Action": "s3:GetBucket",
"Effect": "Allow",
"Principal": {
"CanonicalUser": {
"Fn::GetAtt": [
"eCommerceWebsiteOriginAccessIdentityIDF6581C41",
"S3CanonicalUserId"
]
}
},
"Resource": {
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"eCommerceWebsite1384DBEE",
"Arn"
]
},
"/*"
]
]
}
}
],
"Version": "2012-10-17"
}
},
这里出了什么问题?
没有名为 s3:GetBucket
的操作。可能你想要 s3:GetObject
或 s3:ListBucket
.