堆栈内存溢出
  简体   繁体   English

cloudformation 中定义的资源权限

[英]Permissions on resources defined in cloudformation

 原文  2022-11-22 17:39:43       amazon-web-services/ amazon-s3/ aws-lambda/ amazon-cloudformation

问题描述

I am making a cloudformation template to create a lambda with its permissions.我正在制作一个 cloudformation 模板来创建一个 lambda 及其权限。 I need to access a specific s3 bucket and I am placing its specific arn, however when I execute the lambda it tells me that it does not have permission to access that bucket (getObject), but if I put the almost full name of the s3 arn only that I put a * at the end, if it lets me access the files in that bucket.我需要访问特定的 s3 存储桶并放置其特定的 arn,但是当我执行 lambda 时它告诉我它没有访问该存储桶 (getObject) 的权限,但是如果我输入 s3 的几乎全名只知道我在末尾放了一个 *,如果它允许我访问该存储桶中的文件。

Bucket name: bucket-test-impl桶名:bucket-test-impl

LambdaSSMPermissions:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      Policies:
        - PolicyName: allowSsmS3
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - ssm:PutParameters
                  - ssm:PutParameter
                  - s3:GetObject
                Resource:
                  - arn:aws:s3:::bucket-test-* //THIS WORKS
                  - arn:aws:s3:::bucket-test-impl //IT DOESN'T WORK AND IT'S THE ONE I NEED, 
                  - !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/abcd/*/*'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'

2 个解决方案

解决方案1
 1  2022-11-23 11:09:37

To access s3 bucket you have to provide /* at the end of path.要访问 s3 存储桶,您必须在路径末尾提供 /*。

change改变

arn:aws:s3:::bucket-test-impl

to

arn:aws:s3:::bucket-test-impl/*

解决方案2
 1  2022-11-23 15:17:39

In the end I was able to remove all references with * using the reading policy that Amazon gives me.最后,我能够使用亚马逊给我的阅读政策删除所有带有 * 的引用。

ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
        - 'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess'

With this, I was able to use the direct arn of the file inside the bucket, without using *这样,我就可以直接使用存储桶内文件的 arn,而无需使用 *

Resource:
       - arn:aws:s3:::bucket-test-impl

or:或者:

Resource:
       - arn:aws:s3:::bucket-test-impl/fileName

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 将 StackName 添加到 Cloudformation 资源 - Prepend StackName to Cloudformation resources 将现有 CloudFormation 资源大规模导入 CDK - Importing existing CloudFormation resources into CDK at scale 如何将“手动创建”的资源添加到 cloudformation 模板 - how to add "manually created" resources to the cloudformation template GCP - 拒绝特定资源的权限 - GCP - Deny Permissions for Specific Resources CloudFormation - SAM 模板的结构无效。 “资源”部分是必需的 - CloudFormation - Structure of the SAM template is invalid. 'Resources' section is required Cloudformation:通过 API GW 集成发现 Lambda function 的权限无效 - Cloudformation: Invalid permissions on Lambda function found with API GW Integration Lambda 从 Serverless 部署 CloudFormation 时未继承权限 - Lambda not inheriting permissions while deploying CloudFormation from Serverless 如何从 CDK/CloudFormation 重新创建手动删除的资源 - How to recreate manually deleted resources from the CDK/CloudFormation AWS CloudFormation:如何在 AWS::IAM::Policy 中引用另一个堆栈中定义的角色 - AWS CloudFormation: How to refer a role defined in another stack inside AWS::IAM::Policy 如何确定使用 AWS Terraform 资源所需的 AWS IAM 策略权限? - How to determine the AWS IAM policy permissions needed to use AWS Terraform Resources?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM