我按照這里的指南允許將日志寫入s3.
。"使用以下訪問策略,使 Kinesis Data Firehose 能夠訪問您的 S3 桶和 AWS KMS 密鑰。如果你不擁有S3桶,請將s3:PutObjectAcl添加到Amazon S3操作串列中。這將授予桶的所有者對Kinesis Data Firehose所交付物件的完全訪問權。"
{
"Version": "2012-10-17",
"宣告":
[
{
"效果": "允許",
"行動": [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject"
],
"資源"。[
"arn:aws:s3::bucket-name",
"arn:aws:s3::bucket-name/*"
]
},
{
"效果": "允許"。
"行動": [
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kinesis:ListShards"
],
"資源": "arn:aws:kinesis:region:account-id:stream/stream-name"
},
{
"效果": "允許"。
"Action": [
"kms:解密"。
"kms:GenerateDataKey"
],
"資源"。[
"arn:aws:kms:region:account-id:key/key-id"
],
"條件"。{
"StringEquals": {
"kms:ViaService": "s3.region.amazonaws.com"
},
"StringLike": {
"kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::bucket-name/prefix*"
}
}
},
{
"效果": "允許",
"行動": [
"logs:PutLogEvents"
],
"資源"。[
"arn:aws:logs:region:account-id:log-group:log-group-name:log-stream:log-stream-name"
]
},
{
"效果"。"允許"。
"行動": [
"lambda:InvokeFunction",
"lambda:GetFunctionConfiguration"
],
"資源"。[
"arn:aws:lambda:region:account-id:function:function-name:function-version"
]
}
]
}
具體來說,我看到的錯誤區塊如下(我包括了Principal,因為這是必須的):
{
"效果"。"允許"。
"委托人"。{
"AWS": [
"${account_id}"
]
},
"行動"。[
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kinesis:ListShards"
],
"資源": "arn:aws:kinesis:${region}:${account_id}:stream/*"
},
但是當我試圖將策略應用于s3桶時,我得到了以下結果:
│狀態代碼。400, request id: xxxxxxxxxxxxx, host id: xxxxxxxxxxxxxxxxxxxx
│ 為什么我得到這個錯誤?
uj5u.com熱心網友回復: 鏈接的AWS檔案中給出的策略應該被附加到與kinesis firehose相關的IAM角色上。
S3 bucket策略是基于資源的策略。在基于資源的策略中,你可以只指定與該特定資源(本例中的S3桶)相關的操作。但是,由于你試圖將kinesis資料流動作添加到S3桶策略中,你會得到 "無效動作 "的錯誤
標籤:Error: Error.
Error: 放置S3策略出錯。MalformedPolicy。政策有無效的行動