[英]Terraform Failure configuring LB attributes
I've followed the first answer on this post on StackOverflow but I obtain this error:我在 StackOverflow 上遵循了这篇文章的第一个答案,但我收到了这个错误:
Failure configuring LB attributes: InvalidConfigurationRequest: Access Denied for bucket: myproject-log.
配置 LB 属性失败:InvalidConfigurationRequest:存储桶的访问被拒绝:myproject-log。 Please check S3bucket permission status code: 400
请查看S3bucket权限状态码:400
This is my code:这是我的代码:
s3_bucket s3_bucket
data "aws_elb_service_account" "main" {}
resource "aws_s3_bucket" "bucket_log" {
bucket = "${var.project}-log"
acl = "log-delivery-write"
policy = <<POLICY
{
"Id": "Policy",
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::${var.project}-log/AWSLogs/*",
"Principal": {
"AWS": [
"${data.aws_elb_service_account.main.arn}"
]
}
}
]
}
POLICY
}
load balancer负载平衡器
resource "aws_lb" "vm_stage" {
name = "${var.project}-lb-stg"
internal = false
load_balancer_type = "application"
subnets = [aws_subnet.subnet_1.id, aws_subnet.subnet_2.id, aws_subnet.subnet_3.id]
security_groups = [aws_security_group.elb_project_stg.id]
access_logs {
bucket = aws_s3_bucket.bucket_log.id
prefix = "lb-stg"
enabled = true
}
tags = {
Name = "${var.project}-lb-stg"
}
}
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html
Reference the docs above and change your bucket's iam policy to reflect what the documentation states.参考上面的文档并更改存储桶的 iam 策略以反映文档说明的内容。 The logging is actually done by AWS and not your roles or IAM users.
日志记录实际上是由 AWS 完成的,而不是您的角色或 IAM 用户。 So you need to give ÅWS permission to do this.
因此,您需要授予 ÅWS 权限才能执行此操作。 That's why the docs show statements in the policy that specify the
delivery.logs.amazonaws.com
principal.这就是文档在政策中显示指定
delivery.logs.amazonaws.com
主体的声明的原因。 That principal is the AWS logging service.该委托人是 AWS 日志记录服务。 Even though your bucket is hosted on AWS, they don't give themselves access to your bucket by default.
即使您的存储桶托管在 AWS 上,默认情况下他们也不会授予自己访问您的存储桶的权限。 You have to explicitly grant access to AWS if you want their services to work.
如果您希望他们的服务正常工作,您必须明确授予对 AWS 的访问权限。
As per this post , I was able to resolve this issue by disabling KMS and using SSE-S3 for bucket encryption.根据这篇文章,我能够通过禁用 KMS 并使用 SSE-S3 进行存储桶加密来解决此问题。 Also, there are additional permissions listed in the AWS docs.
此外,AWS 文档中还列出了其他权限。
Just going to drop this here since this cross applied to another question that was asked.只是想把它放在这里,因为这个十字架适用于另一个被问到的问题。
This took me awhile to figure out, but the S3 bucket has two requirements per the documentation:这花了我一段时间才弄清楚,但 S3 存储桶根据文档有两个要求:
Source: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html来源: https : //docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html
While it makes it seem like it's a permissions issue with the error message given it may actually be an issue with the bucket having the wrong encryption type.虽然它看起来像是错误消息的权限问题,但实际上可能是存储桶加密类型错误的问题。 In my case the issue was that my bucket was unencrypted.
就我而言,问题是我的存储桶未加密。
Updated the bucket to SSE-S3 encryption and I no longer received the error:将存储桶更新为 SSE-S3 加密,我不再收到错误消息:
resource "aws_s3_bucket" "s3_access_logs_bucket" {
bucket = var.access_logs_bucket_name
acl = "private"
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
versioning {
enabled = true
}
}
And just because, here's the policy I used:仅仅因为,这是我使用的政策:
data "aws_elb_service_account" "main" {}
data "aws_iam_policy_document" "s3_lb_write" {
statement {
principals {
identifiers = ["${data.aws_elb_service_account.main.arn}"]
type = "AWS"
}
actions = ["s3:PutObject"]
resources = [
"${aws_s3_bucket.s3_access_logs_bucket.arn}/*"
]
}
}
resource "aws_s3_bucket_policy" "load_balancer_access_logs_bucket_policy" {
bucket = aws_s3_bucket.s3_access_logs_bucket.id
policy = data.aws_iam_policy_document.s3_lb_write.json
}
I struggled with this as well the entire terraform bucket policy that worked for me is below.我也为此苦苦挣扎,下面是对我有用的整个 terraform 存储桶策略。
data "aws_iam_policy_document" "elb_bucket_policy" {
statement {
effect = "Allow"
resources = [
"arn:aws:s3:::unique-bucket-name/${local.prefix}/AWSLogs/${local.application_account_id}/*",
]
actions = ["s3:PutObject"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${local.elb_account_id}:root"]
}
}
statement {
effect = "Allow"
resources = [
"arn:aws:s3:::unique-bucket-name/${local.prefix}/AWSLogs/${local.application_account_id}/*",
]
actions = ["s3:PutObject"]
principals {
type = "Service"
identifiers = ["logdelivery.elb.amazonaws.com"]
}
}
statement {
effect = "Allow"
resources = [
"arn:aws:s3:::unique-bucket-name/${local.prefix}/AWSLogs/${local.application_account_id}/*",
]
actions = ["s3:PutObject"]
principals {
type = "Service"
identifiers = ["logdelivery.elb.amazonaws.com"]
}
condition {
test = "StringEquals"
variable = "s3:x-amz-acl"
values = ["bucket-owner-full-control"]
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.