如何配置 s3 存储桶以允许 aws 应用程序负载均衡器(不是类)使用它? 当前抛出“拒绝访问”
[英]how to configure s3 bucket to allow aws application load balancer (not class) use it? currently throws' access denied'
原文
2022-07-29 14:23:26
2
1
amazon-web-services/
amazon-s3/
terraform/
aws-load-balancer/
terraform-provider
问题描述
我有一个应用程序负载平衡器,我正在尝试启用日志记录,terraform 代码如下:
resource "aws_s3_bucket" "lb-logs" {
bucket = "yeo-messaging-${var.environment}-lb-logs"
}
resource "aws_s3_bucket_acl" "lb-logs-acl" {
bucket = aws_s3_bucket.lb-logs.id
acl = "private"
}
resource "aws_lb" "main" {
name = "main"
internal = false
load_balancer_type = "application"
security_groups = [aws_security_group.public.id]
enable_deletion_protection = false
subnets = [aws_subnet.public.id, aws_subnet.public-backup.id]
access_logs {
bucket = aws_s3_bucket.lb-logs.bucket
prefix = "main-lb"
enabled = true
}
}
不幸的是,由于以下原因,我无法应用它:
Error: failure configuring LB attributes: InvalidConfigurationRequest: Access Denied for bucket: xxx-lb-logs. Please check S3bucket permission
│ status code: 400, request id: xx
我看过一些 SO 线程和文档,但不幸的是,它们都适用于经典的负载均衡器,特别是允许您获取 laod 均衡器的服务帐户的“数据”。
我找到了一些关于如何将正确权限应用于 SA 的策略信息,但我似乎找不到如何将服务帐户应用于 LB 本身。
例子:
data "aws_iam_policy_document" "allow-lb" {
statement {
principals {
type = "AWS"
identifiers = [data.aws_elb_service_account.main.arn]
}
actions = [
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
]
resources = [
aws_s3_bucket.lb-logs.arn,
"${aws_s3_bucket.lb-logs.arn}/*",
]
}
}
resource "aws_s3_bucket_policy" "allow-lb" {
bucket = aws_s3_bucket.lb-logs.id
policy = data.aws_iam_policy_document.allow-lb.json
}
但这一切都没有实际意义,因为data.aws_elb_service_account.main.arn仅适用于经典 LB。
编辑:
完整代码尝试来自以下答案:
resource "aws_s3_bucket" "lb-logs" {
bucket = "yeo-messaging-${var.environment}-lb-logs"
}
resource "aws_s3_bucket_acl" "lb-logs-acl" {
bucket = aws_s3_bucket.lb-logs.id
acl = "private"
}
data "aws_iam_policy_document" "allow-lb" {
statement {
principals {
type = "Service"
identifiers = ["logdelivery.elb.amazonaws.com"]
}
actions = [
"s3:PutObject"
]
resources = [
"${aws_s3_bucket.lb-logs.arn}/*"
]
condition {
test = "StringEquals"
variable = "s3:x-amz-acl"
values = [
"bucket-owner-full-control"
]
}
}
}
resource "aws_s3_bucket_policy" "allow-lb" {
bucket = aws_s3_bucket.lb-logs.id
policy = data.aws_iam_policy_document.allow-lb.json
}
resource "aws_lb" "main" {
name = "main"
internal = false
load_balancer_type = "application"
security_groups = [aws_security_group.public.id]
enable_deletion_protection = false
subnets = [aws_subnet.public.id, aws_subnet.public-backup.id]
access_logs {
bucket = aws_s3_bucket.lb-logs.bucket
prefix = "main-lb"
enabled = true
}
}
1 个解决方案
解决方案1
4 2022-07-29 15:49:58
您需要使用的存储桶策略在 Application Load Balancers 上访问日志的官方文档中提供。
{
"Effect": "Allow",
"Principal": {
"Service": "logdelivery.elb.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/your-aws-account-id/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
请注意, bucket-name prefix和your-aws-account-id需要在该策略中替换为您的实际值。
在 Terraform 中:
data "aws_iam_policy_document" "allow-lb" {
statement {
principals {
type = "Service"
identifiers = ["logdelivery.elb.amazonaws.com"]
}
actions = [
"s3:PutObject"
]
resources = [
"${aws_s3_bucket.lb-logs.arn}/*"
]
condition {
test = "StringEquals"
variable = "s3:x-amz-acl"
values = [
"bucket-owner-full-control"
]
}
}
}
是否可以在带有 S3 存储桶的 AWS 负载均衡器侦听器上使用路径基础路由?
[英]Is it possible to use path base route on AWS Load Balancer listener's with S3 Bucket?
即使使用存储桶和/或用户策略,AWS s3存储桶上的访问也被拒绝
[英]Access denied on AWS s3 bucket even with bucket and/or user policy
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.