如何在AWS SAM模板中授予S3存储桶的公开只读访问权限

huangapple go评论95阅读模式
英文:

How to grant public read only access to S3 Bucket in AWS SAM template

问题

我正在创建一个SAM模板中的S3存储桶,并希望为其提供公共读取权限。到目前为止,我想到了以下内容:

  ProductBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub ${ProductBucketName}${Stage}


  ProductBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref ProductBucket
      PolicyDocument:
        Id: PublicReadPolicy
        Version: 2012-10-17
        Statement:
          - Sid: PublicReadForGetBucketObjects
            Effect: Allow
            Principal: '*'
            Action: 's3:GetObject'
            Resource: !Join
              - ''
              - - 'arn:aws:s3:::'
                - !Ref ProductBucket

这导致了一个格式不正确的异常。
英文:

I am creating an S3 bucket in a SAM template and would like to give it public read access. This is what I came up with so far:

  ProductBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub ${ProductBucketName}${Stage}


  ProductBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref ProductBucket
      PolicyDocument:
        Id: PublicReadPolicy
        Version: 2012-10-17
        Statement:
          - Sid: PublicReadForGetBucketObjects
            Effect: Allow
            Principal: '*'
            Action: 's3:GetObject'
            Resource: !Join
              - ''
              - - 'arn:aws:s3:::'
                - !Ref ProductBucket

This fails with a malformed exception.

答案1

得分: 3

Your template is fine except the line that says - - 'arn:aws:s3:::' where its malformed. Just a suggestion that you can use Fn::Sub over Fn::Join when delimiter is an empty string.

AWSTemplateFormatVersion: "2010-09-09"

Parameters:
ProductBucketName:
Type: String

Resources:
ProductBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub ${ProductBucketName}-${AWS::StackName}

ProductBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref ProductBucket
PolicyDocument:
Id: PublicReadPolicy
Version: 2012-10-17
Statement:
- Sid: PublicReadForGetBucketObjects
Effect: Allow
Principal: ''
Action: 's3:GetObject'
Resource: !Sub arn:aws:s3:::${ProductBucket}/

Hope this helps you move forward.

英文:

Your template is fine except the line that says - - 'arn:aws:s3:::' where its malformed. Just a suggestion that you can use Fn::Sub over Fn::Join when delimiter is an empty string.

AWSTemplateFormatVersion: "2010-09-09"

Parameters:
  ProductBucketName:
    Type: String

Resources:
  ProductBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub ${ProductBucketName}-${AWS::StackName}


  ProductBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref ProductBucket
      PolicyDocument:
        Id: PublicReadPolicy
        Version: 2012-10-17
        Statement:
          - Sid: PublicReadForGetBucketObjects
            Effect: Allow
            Principal: '*'
            Action: 's3:GetObject'
            Resource: !Sub arn:aws:s3:::${ProductBucket}/*

Hope this help you move forward.

答案2

得分: 1

我发现AWS文档的YAML示例看起来有点奇怪,但我按照它的示例为我的CF堆栈授予了IAM s3:PutBucketPolicy权限,它运行正常。以下是我的SAM。

  ExampleBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub <bucket-name>

  ExampleBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket:
        Ref: "ExampleBucket"
      PolicyDocument:
        Statement:
          - Action:
              - "s3:GetObject"
            Effect: "Allow"
            Resource:
              Fn::Join:
                - ""
                - - "arn:aws:s3:::"
                  - Ref: "ExampleBucket"
                  - "/*"
            Principal: "*"

这是您可能已经查阅的AWS文档页面链接:https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html.

英文:

I found the AWS documentation's yaml example to look a bit funny, but I followed it and gave my CF stack IAM s3:PutBucketPolicy permissions, and it worked. Below is my SAM.

  ExampleBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub &lt;bucket-name&gt;

  ExampleBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket:
        Ref: &quot;ExampleBucket&quot;
      PolicyDocument:
        Statement:
          - Action:
              - &quot;s3:GetObject&quot;
            Effect: &quot;Allow&quot;
            Resource:
              Fn::Join:
                - &quot;&quot;
                - - &quot;arn:aws:s3:::&quot;
                  - Ref: &quot;ExampleBucket&quot;
                  - &quot;/*&quot;
            Principal: &quot;*&quot;

Here is the AWS documentation page you've probably already consulted: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html.

huangapple
  • 本文由 发表于 2020年1月3日 23:18:22
  • 转载请务必保留本文链接:https://go.coder-hub.com/59581050.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定