我正在嘗試使用 terraform 為專用用戶創建一個 S3 存盤桶以進行上傳/下載。
由于某種原因,正在創建的用戶無法訪問存盤桶:
$ aws iam list-attached-user-policies --user-name csgoserver
{
"AttachedPolicies": [
{
"PolicyName": "AllowUsercsgoserverAccessTocsgofiles",
"PolicyArn": "arn:aws:iam::370179080679:policy/AllowUsercsgoserverAccessTocsgofiles"
}
]
}
$ aws s3 cp bucket.tf s3://csgofiles --profile test
upload failed: .\bucket.tf to s3://csgofiles/bucket.tf An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
$ aws iam get-user-policy --user-name csgoserver --policy-name AllowUsercsgoserverAccessTocsgofiles
An error occurred (NoSuchEntity) when calling the GetUserPolicy operation: The user policy with name AllowUsercsgoserverAccessTocsgofiles cannot be found.
用戶.tf:
resource "aws_iam_user" "s3user" {
name = var.user_name
force_destroy = true
}
data "aws_iam_policy_document" "default" {
statement {
sid = "AllowUser${var.user_name}AccessTo${var.bucket_name}"
actions = ["s3:*"]
resources = ["arn:aws:s3:::${var.bucket_name}"]
effect = "Allow"
}
}
resource "aws_iam_user_policy" "s3user_policy" {
name = aws_iam_user.s3user.name
user = aws_iam_user.s3user.name
policy = join("", data.aws_iam_policy_document.default.*.json)
}
resource "aws_iam_access_key" "s3user_ak" {
user = aws_iam_user.s3user.name
}
還有一件事我不明白。在AWS的IAM得到政策不會對政策作業:
$ aws iam list-policies --max-items 2
{
"Policies": [
{
"PolicyName": "AllowUsercsgoserverAccessTocsgofiles",
"PolicyId": "ANPAVMMDEQHTRE4NG3N2E",
"Arn": "arn:aws:iam::370179080679:policy/AllowUsercsgoserverAccessTocsgofiles",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2021-11-26T22:17:52 00:00",
"UpdateDate": "2021-11-26T22:17:52 00:00"
},
{
"PolicyName": "eks-full-access-policy",
"PolicyId": "ANPAVMMDEQHTR4C65WFT6",
"Arn": "arn:aws:iam::370179080679:policy/eks-full-access-policy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2021-03-30T09:57:04 00:00",
"UpdateDate": "2021-03-30T09:57:04 00:00"
}
],
"NextToken": "eyJNYXJrZXIiOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiAyfQ=="
}
$ aws iam get-policy --policy-arn arn:aws:iam::370179080679:policy/AllowUsercsgoserverAccessTocsgofile
An error occurred (NoSuchEntity) when calling the GetPolicy operation: Policy arn:aws:iam::370179080679:policy/AllowUsercsgoserverAccessTocsgofile was not found.
$ aws iam get-policy --policy-arn arn:aws:iam::370179080679:policy/eks-full-access-policy
{
"Policy": {
"PolicyName": "eks-full-access-policy",
"PolicyId": "ANPAVMMDEQHTR4C65WFT6",
"Arn": "arn:aws:iam::370179080679:policy/eks-full-access-policy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2021-03-30T09:57:04 00:00",
"UpdateDate": "2021-03-30T09:57:04 00:00"
}
}
uj5u.com熱心網友回復:
我認為您的 IAM 政策無效。您可以使用類似于以下內容的內容:
{
"Id": "Policy1638106306386",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1638106302079",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::examplebucket",
"Principal": {
"AWS": [
"370179080679"
]
}
}
]
}
我還建議將策略行內到您的aws_iam_user_policy資源中,而不是使用資料源。查看檔案,它似乎政策是aws_iam_user_policy 資源中的必填欄位。
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy
也許像下面這樣:
resource "aws_iam_user_policy" "s3user_policy" {
name = aws_iam_user.s3user.name
user = aws_iam_user.s3user.name
policy = jsonencode ({
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1638106302079",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::examplebucket/*",
}
]
})
uj5u.com熱心網友回復:
我在末尾的 Resource 鍵中缺少兩個字符/* ...
data "aws_iam_policy_document" "default" {
statement {
sid = "AllowUser${var.user_name}AccessTo${var.bucket_name}"
actions = ["s3:*"]
resources = ["arn:aws:s3:::${var.bucket_name}/*"]
effect = "Allow"
}
}
轉載請註明出處,本文鏈接:https://www.uj5u.com/houduan/371305.html
標籤:亚马逊网络服务 亚马逊-s3 地形 terraform-provider-aws
上一篇:“GetObject時發生錯誤。S3錯誤代碼:PermanentRedirect。S3錯誤訊息:存盤桶在此區域:us-east-1