在 Cloudformation 中创建策略,授予从单独的 AWS 帐户访问 s3 存储桶的权限
Create Policy in Cloudformation Granting Access to s3 Buckets From Separate AWS Account
我已阅读 "Specifying Principals in a Policy" 文档:https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-bucket-user-policy-specifying-principal-intro.html, and am inferring some behaviors from there and other SO (like aws lambda function getting access denied when getObject from s3) 没有专门针对 Cloudformation 的问题。
当我尝试创建一个授予外部角色访问本地存储桶的策略时,我仍然被这个错误所困扰。 Cloudformation 的错误是:Policy document should not specify a principal.
情况细分
我有两个 AWS 账户。账户 A 创建了一个存储桶,我想授予账户 B 对其的写入权限。
在帐户 A Cloudformation 中,我创建了一个策略,该策略授予帐户 B 角色访问所述存储桶的权限。来自 https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html 的指南。帐户 B 存在该角色。
AccountBWriteToS3Policy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: AccountBWriteToS3Policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Principal:
AWS: 'arn:aws:iam::123456789876:role/AccountBRole'
Effect: Allow
Action:
- 's3:PutObject'
- 's3:ListBucket'
Resource: !Sub
- '${bucketArn}/*'
- bucketArn: !GetAtt
- AccountABucket
- Arn
Roles:
- AccountARole
但是cloudformation执行失败,回滚报错
Policy document should not specify a principal.
我很困惑。
谁能解释这个错误?
谁能指明前进的道路?
这似乎是一个简单而普遍的需求,包含在许多示例中。也许我应该在存储桶声明本身中指定策略而不是创建帐户范围的策略?
您需要使用原则创建一个 "Trust policy" 角色,然后 "permission policy" 允许 read/write 访问 S3 存储桶。
这是我的 Cloudformation 中的一个片段。
Role:
Type: "AWS::IAM::Role"
Properties:
RoleName: !Sub '${RuleName}-Role'
Path: "/"
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal: !Sub 'arn:aws:iam::${AccountID}:user/*'
Action: sts:AssumeRole
RolePolicies:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub '${RuleName}-RolePolicies'
Roles:
- Ref: "Role"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- s3:Get*
- s3:Put*
- s3:List*
- s3:AbortMultipartUpload
Resource:
- !Ref Bucket
我已阅读 "Specifying Principals in a Policy" 文档:https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-bucket-user-policy-specifying-principal-intro.html, and am inferring some behaviors from there and other SO (like aws lambda function getting access denied when getObject from s3) 没有专门针对 Cloudformation 的问题。
当我尝试创建一个授予外部角色访问本地存储桶的策略时,我仍然被这个错误所困扰。 Cloudformation 的错误是:Policy document should not specify a principal.
情况细分
我有两个 AWS 账户。账户 A 创建了一个存储桶,我想授予账户 B 对其的写入权限。
在帐户 A Cloudformation 中,我创建了一个策略,该策略授予帐户 B 角色访问所述存储桶的权限。来自 https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html 的指南。帐户 B 存在该角色。
AccountBWriteToS3Policy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: AccountBWriteToS3Policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Principal:
AWS: 'arn:aws:iam::123456789876:role/AccountBRole'
Effect: Allow
Action:
- 's3:PutObject'
- 's3:ListBucket'
Resource: !Sub
- '${bucketArn}/*'
- bucketArn: !GetAtt
- AccountABucket
- Arn
Roles:
- AccountARole
但是cloudformation执行失败,回滚报错
Policy document should not specify a principal.
我很困惑。
谁能解释这个错误?
谁能指明前进的道路?
这似乎是一个简单而普遍的需求,包含在许多示例中。也许我应该在存储桶声明本身中指定策略而不是创建帐户范围的策略?
您需要使用原则创建一个 "Trust policy" 角色,然后 "permission policy" 允许 read/write 访问 S3 存储桶。
这是我的 Cloudformation 中的一个片段。
Role:
Type: "AWS::IAM::Role"
Properties:
RoleName: !Sub '${RuleName}-Role'
Path: "/"
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal: !Sub 'arn:aws:iam::${AccountID}:user/*'
Action: sts:AssumeRole
RolePolicies:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub '${RuleName}-RolePolicies'
Roles:
- Ref: "Role"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- s3:Get*
- s3:Put*
- s3:List*
- s3:AbortMultipartUpload
Resource:
- !Ref Bucket