堆栈内存溢出
  简体   繁体   English

Pulumi - 为 CloudTrail 日志创建 S3 存储桶策略 - 资源无效

[英]Pulumi - Creating S3 bucket policy for CloudTrail logs - Invalid resource

 原文  2021-08-16 11:58:46       python/ amazon-s3/ amazon-cloudtrail/ pulumi

问题描述

I am using Pulumi (Python) and trying to create a bucket for AWS CloudTrail logs.我正在使用 Pulumi (Python) 并尝试为 AWS CloudTrail 日志创建一个存储桶。 I based my code off this example.我的代码基于这个例子。 I keep getting the following error: Error putting S3 policy: MalformedPolicy: Policy has invalid resource我不断收到以下错误消息: Error putting S3 policy: MalformedPolicy: Policy has invalid resource

import pulumi
import pulumi_aws as aws

# create a bucket to store CloudTrail logs
cloudtrail_bucket = aws.s3.Bucket("CloudTrailLogs")

# assign policy to bucket
aws_account_id = aws.get_caller_identity().account_id
bucket_policy = aws.s3.BucketPolicy(
    "CloudTrailLogsBucketPolicy",
    bucket=cloudtrail_bucket.id,
    policy=pulumi.Output.all(cloudtrail_bucket.id).apply(
        lambda bucket_id: f"""{{
            "Version": "2012-10-17",
            "Statement": [
                {{
                    "Sid": "AWSCloudTrailAclCheck20150319",
                    "Effect": "Allow",
                    "Principal": {{"Service": "cloudtrail.amazonaws.com"}},
                    "Action": "s3:GetBucketAcl",
                    "Resource": "arn:aws:s3:::{bucket_id}"
                }},
                {{
                    "Sid": "AWSCloudTrailWrite20150319",
                    "Effect": "Allow",
                    "Principal": {{"Service": "cloudtrail.amazonaws.com"}},
                    "Action": "s3:PutObject",
                    "Resource": "arn:aws:s3:::{bucket_id}/AWSLogs/{aws_account_id}/*",
                    "Condition": {{
                        "StringEquals": {{"s3:x-amz-acl": "bucket-owner-full-control"}}
                    }}
                }}
            ]
        }}
        """
    ),
)

Does anyone know what the issue could be?有谁知道问题可能是什么?

My current environment is using the following:我当前的环境正在使用以下内容:

pulumi==3.9.1
pulumi-aws==4.15.0

1 个解决方案

解决方案1
 0 已采纳  2021-08-16 12:33:50

You're referencing the account ID without making it part of the apply/all statement.您在引用帐户 ID 时并未将其作为 apply/all 语句的一部分。

Try this instead:试试这个:

policy=pulumi.Output.all(cloudtrail_bucket.id, aws_account_id).apply(
        lambda args: f"""{{
            "Version": "2012-10-17",
            "Statement": [
                {{
                    "Sid": "AWSCloudTrailAclCheck20150319",
                    "Effect": "Allow",
                    "Principal": {{"Service": "cloudtrail.amazonaws.com"}},
                    "Action": "s3:GetBucketAcl",
                    "Resource": "arn:aws:s3:::{args[0]}"
                }},
                {{
                    "Sid": "AWSCloudTrailWrite20150319",
                    "Effect": "Allow",
                    "Principal": {{"Service": "cloudtrail.amazonaws.com"}},
                    "Action": "s3:PutObject",
                    "Resource": "arn:aws:s3:::{args[0]}/AWSLogs/{args[1]}/*",
                    "Condition": {{
                        "StringEquals": {{"s3:x-amz-acl": "bucket-owner-full-control"}}
                    }}
                }}
            ]
        }}
        """
    )

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 cloudtrail 加密是否对 s3 存储桶进行了过度加密? - Is cloudtrail encryption to a s3 bucket with encryption overdoing it? AWS S3 错误“策略具有无效资源” - AWS S3 Error 'Policy has invalid resource' S3 服务器访问日志记录与 CloudTrail 日志 - S3 Server access logging vs CloudTrail logs 亚马逊 s3 将桶与桶策略 - Amazon s3 put bucket with bucket policy 带条件的 AWS S3 存储桶策略 - AWS S3 bucket policy with condition S3 存储桶策略多个条件 - S3 bucket policy multiple conditions minio - s3 - 存储桶策略说明 - minio - s3 - bucket policy explanation 将 ELB 帐户分配给 S3 存储桶策略 - Assign ELB Account to S3 Bucket Policy Minio s3:ListAllMyBucket 存储桶策略不起作用? - Minio s3:ListAllMyBucket bucket policy not working? CloudFormation 中的存储桶检测到不正确的 S3 存储桶策略 - Incorrect S3 bucket policy is detected for bucket in CloudFormation
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM