堆栈内存溢出
  繁体   English   中英

AWS Cloudformation 模板 - S3 存储桶策略 - MalformedPolicy 错误

[英]AWS Cloudformation template - S3 bucket policy - MalformedPolicy error

 原文  2023-01-23 09:52:59       amazon-web-services/ amazon-s3/ amazon-cloudformation/ amazon-cloudfront/ policy

问题描述

我正在尝试向我的(静态网站)S3 存储桶添加策略以仅允许 CloudFormation 分发访问它,但在部署期间我仍然遇到MalformedPolicy错误并且无法找到问题所在。

CloudFormation 模板基本部分

Resources:

  BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    DependsOn:
      - AppBucket
      - CloudFrontDistribution
    Properties:
      Bucket: !Ref AppBucket
      PolicyDocument:
        Id: MyPolicy
        Version: 2012-10-17
        Statement:
          - Sid: PolicyForCloudFrontPrivateContent
            Action: 's3:GetObject*'
            Effect: Allow
            Condition:
              StringLike:
                'aws:Referer':
                  - !Sub 'https://*.${CloudFrontDistribution}.cloudfront.net/*'
              Resource: 
                - !Sub arn:aws:s3:::${AppBucket}

  CloudFrontDistribution:
    # ...

  AppBucket:
    # ...

部署错误

(...)

CloudFormation events from stack operations (refresh every 0.5 seconds)
---------------------------------------------------------------------------------------------------------------------------------------------
ResourceStatus                      ResourceType                        LogicalResourceId                   ResourceStatusReason              
---------------------------------------------------------------------------------------------------------------------------------------------
UPDATE_IN_PROGRESS                  AWS::S3::BucketPolicy               BucketPolicy                        -                                 
UPDATE_FAILED                       AWS::S3::BucketPolicy               BucketPolicy                        Missing required field Principal  
                                                                                                            (Service: Amazon S3; Status Code: 
                                                                                                            400; Error Code: MalformedPolicy; 
                                                                                                            Request ID: DG2QHRDJQ2WS6JZV; S3  
                                                                                                            Extended Request ID: 6u+LYv77A4Ao 
                                                                                                            DmKmyB4Sfup+rueC1iGAQ82GdkfHimIZL 
                                                                                                            X/HXUPWj2FKSq7WCgi41F4XU6z6BOk=;  
                                                                                                            Proxy: null)                      
UPDATE_ROLLBACK_IN_PROGRESS         AWS::CloudFormation::Stack          test-app-hosting                    The following resource(s) failed  
                                                                                                            to update: [BucketPolicy].        
UPDATE_COMPLETE                     AWS::S3::BucketPolicy               BucketPolicy                        -                                 
UPDATE_ROLLBACK_COMPLETE_CLEANUP_   AWS::CloudFormation::Stack          test-app-hosting                    -                                 
IN_PROGRESS                                                                                                                                   
UPDATE_ROLLBACK_COMPLETE            AWS::CloudFormation::Stack          test-app-hosting                    -                                 
---------------------------------------------------------------------------------------------------------------------------------------------
Error: Failed to create/update the stack: test-app-hosting, Waiter StackUpdateComplete failed: Waiter encountered a terminal failure state: For expression "Stacks[].StackStatus" we matched expected path: "UPDATE_ROLLBACK_COMPLETE" at least once

更新 #1

正如 bot @luk2302 和 @Marcin 指出的那样,我错过了Statement > Principal部分(对此感觉很愚蠢),但添加它现在会出现一个新错误:

---------------------------------------------------------------------------------------------------------------------------------------------
ResourceStatus                      ResourceType                        LogicalResourceId                   ResourceStatusReason              
---------------------------------------------------------------------------------------------------------------------------------------------
UPDATE_IN_PROGRESS                  AWS::S3::BucketPolicy               BucketPolicy                        -                                 
UPDATE_FAILED                       AWS::S3::BucketPolicy               BucketPolicy                        Invalid policy syntax. (Service:  
                                                                                                            Amazon S3; Status Code: 400;      
                                                                                                            Error Code: MalformedPolicy;      
                                                                                                            Request ID: NH6PZB3QF0747F4N; S3  
                                                                                                            Extended Request ID: xdXOFPWgHCjg 
                                                                                                            Lzf4gdjCg79NIXS6qtmtLuGn8N7NeLIOJ 
                                                                                                            4Qw2bgSJ2v6MKdNzbrMCWCEPKBc90E=;  
                                                                                                            Proxy: null)                      
UPDATE_ROLLBACK_IN_PROGRESS         AWS::CloudFormation::Stack          test-app-hosting                    The following resource(s) failed  
                                                                                                            to update: [BucketPolicy].

2 个解决方案

解决方案1
 1  2023-01-23 09:59:31

Resource的用途不正确,并且您缺少AWS 文档中所述的Principal 它应该是:

  BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    DependsOn:
      - AppBucket
      - CloudFrontDistribution
    Properties:
      Bucket: !Ref AppBucket
      PolicyDocument:
        Id: MyPolicy
        Version: 2012-10-17
        Statement:
          - Sid: PolicyForCloudFrontPrivateContent
            Action: 's3:GetObject*'
            Effect: Allow
            Principal:
              Service: cloudfront.amazonaws.com
            Resource: 
              - !Sub arn:aws:s3:::${AppBucket}              
            Condition:
              StringLike:
                'aws:Referer':
                  - !Sub 'https://*.${CloudFrontDistribution}.cloudfront.net/*'

解决方案2
 0  2023-01-23 12:07:15

好的,经过大量试验和错误后,我发现主要问题在于提供ResourceCondition.StringLike.aws:Referer数组值而不是字符串:

错误的

Resource:
  - !Sub arn:aws:s3:::${AppBucket}
Condition:
  StringLike:
    'aws:Referer':
      - !Sub 'https://*.${CloudFrontDistribution}.cloudfront.net/*'

正确的

Resource: !Sub arn:aws:s3:::${AppBucket}
Condition:
  StringLike:
    'aws:Referer': !Sub 'https://*.${CloudFrontDistribution}.cloudfront.net/*'

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 通过 boto3“MalformedPolicy 错误”将公共访问策略附加到 S3 存储桶不断抬头 CloudFormation 中的存储桶检测到不正确的 S3 存储桶策略 带条件的 AWS S3 存储桶策略 我有一个关于 AWS S3 存储桶策略的查询 AWS s3 存储桶多个 StringEquals 条件策略 仅允许小写文件的 AWS S3 存储桶策略 NotPrincipal 拒绝访问的 AWS S3 存储桶策略 允许访问 Cognito 用户的 AWS S3 存储桶策略 亚马逊 s3 将桶与桶策略 从 AWS 服务 (cloudFormation) 授予 AWS org 子账户访问权限的 S3 策略
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM