CloudFormation 聲稱 KMS 策略聲明主體無效
[英]CloudFormation claims KMS policy statement principals are invalid
問題描述
我有以下 SAM 模板:
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
test lambda
Globals:
Function:
Timeout: 3
Tracing: Active
Api:
TracingEnabled: True
Resources:
NotesFunction:
Type: AWS::Serverless::Function
Properties:
PackageType: Zip
CodeUri: notes/
Handler: app.lambdaHandler
Runtime: nodejs18.x
Policies:
- AmazonDynamoDBFullAccess
Architectures:
- x86_64
Events:
FetchNotes:
Type: Api
Properties:
Path: /notes
Method: get
GiveNotes:
Type: Api
Properties:
Path: /notes
Method: post
Users:
Type: Api
Properties:
Path: /notes/users
Method: get
Metadata:
BuildMethod: esbuild
BuildProperties:
Minify: true
Target: "es2020"
Sourcemap: true
EntryPoints:
- app.ts
KmsKey:
Type: AWS::KMS::Key
Properties:
Description: CMK for encrypting and decrypting
KeyPolicy:
Version: '2012-10-17'
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: kms:*
Resource: '*'
- Sid: Allow administration of the key
Effect: Allow
Principal:
AWS: arn:aws:iam::<MY_ACCOUNT>:role/aws-service-role/cks.kms.amazonaws.com/KMSKeyAdminRole
Action:
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kms:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:ScheduleKeyDeletion
- kms:CancelKeyDeletion
Resource: '*'
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS: !Ref NotesFunctionRole
Action:
- kms:DescribeKey
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt*
- kms:GenerateDataKey
- kms:GenerateDataKeyWithoutPlaintext
Resource: '*'
NotesDynamoDB:
Type: AWS::DynamoDB::Table
Properties:
TableName: experimental-notes
AttributeDefinitions:
- AttributeName: id
AttributeType: S
KeySchema:
- AttributeName: id
KeyType: HASH
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
StreamSpecification:
StreamViewType: NEW_IMAGE
Outputs:
NotesApi:
Description: "API Gateway endpoint URL for dev stage for Notes function"
Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/dev/notes/"
NotesFunction:
Description: "Notes Lambda Function ARN"
Value: !GetAtt NotesFunction.Arn
NotesFunctionIamRole:
Description: "Implicit IAM Role created for Notes function"
Value: !GetAtt NotesFunctionRole.Arn
NotesDynamoDB:
Description: "DynamoDB table backing the Lambda"
Value: !GetAtt NotesDynamoDB.Arn
當我構建 + 部署此模板時,出現以下 CloudFormation 錯誤:
Resource handler returned message: "Policy contains a statement with one or more invalid principals....
顯然我已經編輯了我的實際帳戶 ID 並將其替換為<MY_ACCOUNT> (.)。
但它並沒有說明哪些委托人是“無效”的。 這個想法是第二個策略聲明被應用/硬編碼到現有角色( KMSKeyAdminRole )。 第三條語句應用於上面創建的NotesFunction Lambda 的角色。
誰能發現我哪里出錯了?
2 個解決方案
解決方案1
0 已采納 2023-01-03 14:30:57
這最終完美地工作並修復了 CF 錯誤:
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS: !GetAtt FeedbackFunctionRole.Arn
Action:
- kms:DescribeKey
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt*
- kms:GenerateDataKey
- kms:GenerateDataKeyWithoutPlaintext
Resource: '*'
解決方案2
-1 2022-12-30 14:51:51
CloudFormation YAML State 機器:無法識別令牌的 INVALID_JSON_DESCRIPTION
[英]CloudFormation YAML State Machine: INVALID_JSON_DESCRIPTION for unrecognized token
如何在 cloudformation 策略文檔中引用資源 ARN? (山葯)
[英]How to reference a resource ARN in a cloudformation policy document ? (yaml)
CloudFormation 中的存儲桶檢測到不正確的 S3 存儲桶策略
[英]Incorrect S3 bucket policy is detected for bucket in CloudFormation
Cloudformation:通過 API GW 集成發現 Lambda function 的權限無效
[英]Cloudformation: Invalid permissions on Lambda function found with API GW Integration
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
使用 CloudFormation 創建策略
AWS SNS 主題策略 Cloudformation
CloudFormation YAML State 機器:無法識別令牌的 INVALID_JSON_DESCRIPTION
如何在 cloudformation 策略文檔中引用資源 ARN? (山葯)
CloudFormation 中的存儲桶檢測到不正確的 S3 存儲桶策略
AWS S3 錯誤“策略具有無效資源”
Cloudformation:通過 API GW 集成發現 Lambda function 的權限無效
KMS 的多區域策略
AWS VPC 端點服務:如何 append 委托人
s3 策略具有無效操作 - s3:ListAllMyBuckets
相關標簽