Terraform - 启用访问负载平衡器日志 InvalidConfigurationRequest:存储桶的访问被拒绝
[英]Terraform - Enabling Access Load balancer logs InvalidConfigurationRequest: Access Denied for bucket
问题描述
I'm using terraform to provision an ELB & want to Enable Access logs for ELB in a S3 bucket.
我正在使用 terraform 来配置 ELB 并希望在 S3 存储桶中为 ELB 启用访问日志。 When I try to apply the resources, I get the below error - InvalidConfiguration: Access Denied for bucket:当我尝试应用资源时,出现以下错误 - InvalidConfiguration: Access Denied for bucket:
Below are my TF resources with the S3 bucket policy created using the IAM Policy Document.下面是我的 TF 资源,其中包含使用 IAM 策略文档创建的 S3 存储桶策略。
resource "aws_lb" "this" {
name = var.name
load_balancer_type = "application"
access_logs {
bucket = aws_s3_bucket.this.bucket
prefix = var.name
enabled = true
}
}
resource "aws_s3_bucket" "this" {
bucket = "${var.bucket_name}"
acl = "log-delivery-write"
force_destroy = true
}
resource "aws_s3_bucket_policy" "this" {
bucket = "aws_s3_bucket.this.id"
policy = "${data.aws_iam_policy_document.s3_bucket_lb_write.json}"
}
data "aws_iam_policy_document" "s3_bucket_lb_write" {
policy_id = "s3_bucket_lb_logs"
statement {
actions = [
"s3:PutObject",
]
effect = "Allow"
resources = [
"${aws_s3_bucket.this.arn}/*",
]
principals {
identifiers = ["${data.aws_elb_service_account.main.arn}"]
type = "AWS"
}
}
statement {
actions = [
"s3:PutObject"
]
effect = "Allow"
resources = ["${aws_s3_bucket.this.arn}/*"]
principals {
identifiers = ["delivery.logs.amazonaws.com"]
type = "Service"
}
}
statement {
actions = [
"s3:GetBucketAcl"
]
effect = "Allow"
resources = ["${aws_s3_bucket.this.arn}"]
principals {
identifiers = ["delivery.logs.amazonaws.com"]
type = "Service"
}
}
}
output "bucket_name" {
value = "${aws_s3_bucket.this.bucket}"
}
I get the following error我收到以下错误
Error: Error putting S3 policy: NoSuchBucket: The specified bucket does not exist
status code: 404, request id: 5932CFE816059A8D, host id: j5ZBQ2ptHXivx+fu7ai5jbM8PSQR2tCFo4IAvcLkuocxk8rn/r0TG/6YbfRloBFR2WSy8UE7K8Q=
Error: Failure configuring LB attributes: InvalidConfigurationRequest: Access Denied for bucket: test-logs-bucket-xyz. Please check S3bucket permission
status code: 400, request id: ee101cc2-5518-42c8-9542-90dd7bb05e3c
terraform version Terraform v0.12.23 terraform 版本 Terraform v0.12.23
- provider.aws v3.6.0 provider.aws v3.6.0
1 个解决方案
解决方案1
5 已采纳 2020-09-22 00:31:52
There is mistake in:有以下错误:
resource "aws_s3_bucket_policy" "this" {
bucket = "aws_s3_bucket.this.id"
policy = "${data.aws_iam_policy_document.s3_bucket_lb_write.json}"
}
it should be:它应该是:
resource "aws_s3_bucket_policy" "this" {
bucket = aws_s3_bucket.this.id
policy = data.aws_iam_policy_document.s3_bucket_lb_write.json
}
The orginal version ( bucket = "aws_s3_bucket.this.id" ) will just try to look for bucket literally called "aws_s3_bucket.this.id".原始版本 ( bucket = "aws_s3_bucket.this.id" ) 只会尝试查找字面上称为“aws_s3_bucket.this.id”的存储桶。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.