问题
I would like to be able to change the policies on s3 buckets using cloudformation. However when I attempt to do this I encounter the error:
2017-12-21 18:49:10 UTC TestBucketpolicyAwsS3Bucketpolicy CREATE_FAILED API: s3:PutBucketPolicy Access Denied
Here is an example of a cloudformation template that fails due to this issue:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "",
"Resources": {
"TestBucketpolicyAwsS3Bucketpolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": "alex-test-bucket-123",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Resource": "arn:aws:s3:::alex-test-bucket-123/*",
"Action": [
"s3:GetObject*",
"s3:DeleteObject*",
"s3:PutObject*"
]
}
]
}
}
}
}
}
I have tried changing policies on both my IAM user and the actual bucket I want to manage with cloudformation, but neither solution has resolved the issue. How can I get remove this "s3:PutBucketPolicy" restriction?
Edit: I think the issue may be that only IAM roles can access the "s3:PutBucketPolicy" operation. I may need to create a role with s3 access then establish a trust relationship with the user that runs this cloudformation template.
https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html
回答1:
IAM users cannot directly run s3:PutBucketPolicy operations. You need to create a separate IAM role and attach it to your user with a trust relationship to assume that IAM role.
Your role will need s3 and cloudformation access. The policy document below will work.
{
"Version": "2012-10-17",
"Statement": {
"Action": [
"s3:*",
"cloudformation:*"
],
"Resource": "*",
"Effect": "Allow"
}
}
The arn of your IAM role will then need to be set in your config or the AWS_STS_ROLE_ARN environmental variable along with your aws access keys.
Once you assume the role you will then be able to change s3 bucket policies.
Note that this will override any permissions your user has when you set your AWS_STS_ROLE_ARN in your config or environmental variables.
来源:https://stackoverflow.com/questions/47931342/how-to-change-s3-bucket-policies-with-cloudformation