stackoom
  简体   繁体   中英

Create Policy in Cloudformation Granting Access to s3 Buckets From Separate AWS Account

 原文  2018-02-15 16:00:17       amazon-web-services/ amazon-s3/ amazon-cloudformation/ amazon-iam

Question

I have read the "Specifying Principals in a Policy" doc: https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-bucket-user-policy-specifying-principal-intro.html , and am inferring some behaviors from there and other SO (like aws lambda function getting access denied when getObject from s3 ) questions that do not specifically deal with Cloudformation.

I am still stumped on this error when I try to create a policy that grants a foreign role access to a local bucket. The error from Cloudformation is: Policy document should not specify a principal.

Situation Breakdown

I have two AWS accounts. Account A creates a bucket, and I want to grant Account B write access to it.

In Account A Cloudformation I have created a Policy that that grants an Account B role access to said bucket. Guide from https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html . That role exists for Account B.

AccountBWriteToS3Policy: Type: 'AWS::IAM::Policy' Properties: PolicyName: AccountBWriteToS3Policy PolicyDocument: Version: 2012-10-17 Statement: - Principal: AWS: 'arn:aws:iam::123456789876:role/AccountBRole' Effect: Allow Action: - 's3:PutObject' - 's3:ListBucket' Resource: !Sub - '${bucketArn}/*' - bucketArn: !GetAtt - AccountABucket - Arn Roles: - AccountARole

However, cloudformation fails to execute, and rolls back with an error Policy document should not specify a principal.

I'm fairly stumped.

Can anyone explain this error?

Can anyone prescribe a path forward?

This seems like a simple and common need, covered in numerous examples. Maybe I'm supposed to specify the policy within the bucket declaration itself instead of creating an account-wide policy?

1 answers

solution1
 2 ACCPTED  2018-02-15 16:16:32

you need to create a role with "Trust policy" with the principle and then a "permission policy" to allow read/write access to the S3 Bucket.

Here is a snippet from my Cloudformation. 

  Role:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: !Sub '${RuleName}-Role'
      Path: "/"     
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal: !Sub 'arn:aws:iam::${AccountID}:user/*'
          Action: sts:AssumeRole      
  RolePolicies:
    Type: "AWS::IAM::ManagedPolicy"
    Properties:
      ManagedPolicyName: !Sub '${RuleName}-RolePolicies'
      Roles:
        - Ref: "Role"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:       
        - Effect: Allow
          Action:
          - s3:Get*
          - s3:Put*
          - s3:List*
          - s3:AbortMultipartUpload       
          Resource:
          - !Ref Bucket

Ref: Cross account tutorial

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to create a managed policy in cloudformation that allows lambda access to all s3 containers in an aws environment AWS S3 IAM policy multiple buckets AWS S3 bucket control policy for cross-account access I'm trying to create service control policy to block users from creating S3 buckets with public WRITE access, but it's not working Access Folders in AWS S3 buckets from CloudFront Can AWS Lambda access S3 buckets from other regions? Create an SNS message from an existing buckets S3 create event using cloudformation/serverless How to identify which policy/role is granting access to S3 bucket S3 IAM policy for one bucket not granting access Create Multiple S3 Buckets having same properties with cloudformation
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM