英文:
Invalid Resource and malformed policy errors - aws cloudformation YAML
问题
I can help you translate the JSON policy into YAML. Here's the equivalent YAML representation:
S3CURBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: stmt_cross_acct_rs_Access
Effect: Allow
Principal:
AWS:
- arn:aws:iam::12345678:role/role_rs_1
- arn:aws:iam::12345678:root
Action:
- 's3:GetBucketLocation'
- 's3:GetObject'
- 's3:ListBucket'
- 's3:ListBucketMultipartUploads'
- 's3:ListMultipartUploadParts'
- 's3:AbortMultipartUpload'
- 's3:PutObject'
Resource:
- !Join [ '', ['arn:aws:s3:::', !Ref S3BucketTest] ]
- !Join [ '', ['arn:aws:s3:::', !Ref S3BucketTest, '/*'] ]
Bucket: !Ref S3BucketTest
S3BucketTest:
Type: AWS::S3::Bucket
This YAML configuration replicates the provided JSON policy using AWS CloudFormation syntax.
英文:
Addig bucketpolicy for a s3 Bucket. But am running into multiple problems defining it in YAML. Here is the sample -
S3CURBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
PolicyDocument:
Statement:
- Action:
- 's3:ListBucket'
Resource: !Join [ '', ["arn:aws:s3:::", !Ref S3BucketTest]]
Effect: Allow
Condition:
StringEquals:
'AWS:SourceAccount':
- 12334456676
Principal: '*'
Bucket: !Ref S3BucketTest
S3BucketTest is the resource name of s3 bucket I defined in the same cft
S3BucketTest:
Type: AWS::S3::Bucket
I was able to create s3 bucket without any issues, but the bucketpolicy giving errors.
- For the above yaml, it says that resource name is invalid.
- If I have multiple Actions and I mention them in [], it throws invalid Acttions and malformed policy error.
- I alo want to mention multiple resources.
I am essentially looking to replicatee this in YAML -
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "stmt_cross_acct_rs_Access",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::12345678:role/role_rs_1", "arn:aws:iam::12345678:root"]
},
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<demo-bucket>",
"arn:aws:s3:::<demo-bucket>/*"
]
}
]
}
答案1
得分: 1
假设您已经有一个名为'demobucket'的存储桶资源或参数,上面的JSON在YAML中将如下所示:
Version: 2012-10-17
Statement:
- Sid: stmt_cross_acct_rs_Access
Effect: Allow
Principal:
AWS:
- arn:aws:iam::12345678:role/role_rs_1
- arn:aws:iam::12345678:root
Action:
- s3:GetBucketLocation
- s3:GetObject
- s3:ListBucket
- s3:ListBucketMultipartUploads
- s3:ListMultipartUploadParts
- s3:AbortMultipartUpload
- s3:PutObject
Resource:
- !Sub 'arn:aws:s3:::${demobucket}'
- !Sub 'arn:aws:s3:::${demobucket}/*'
对于您提供的YAML,应该这样处理:
S3CURBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
PolicyDocument:
Statement:
- Action:
- 's3:ListBucket'
Resource: !GetAtt S3BucketTest.Arn
Effect: Allow
Condition:
StringEquals:
'AWS:SourceAccount':
- 12334456676
Principal: '*'
Bucket: !Ref S3BucketTest
英文:
Assuming you have a 'demobucket' as either a bucket resource or a parameter, the JSON above would look like this in YAML:
Version: 2012-10-17
Statement:
- Sid: stmt_cross_acct_rs_Access
Effect: Allow
Principal:
AWS:
- arn:aws:iam::12345678:role/role_rs_1
- arn:aws:iam::12345678:root
Action:
- s3:GetBucketLocation
- s3:GetObject
- s3:ListBucket
- s3:ListBucketMultipartUploads
- s3:ListMultipartUploadParts
- s3:AbortMultipartUpload
- s3:PutObject
Resource:
- !Sub 'arn:aws:s3:::${demobucket}'
- !Sub 'arn:aws:s3:::${demobucket}/*'
This is what you should do for the YAML you had:
S3CURBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
PolicyDocument:
Statement:
- Action:
- 's3:ListBucket'
Resource: !GetAtt S3BucketTest.Arn
Effect: Allow
Condition:
StringEquals:
'AWS:SourceAccount':
- 12334456676
Principal: '*'
Bucket: !Ref S3BucketTest
答案2
得分: 1
这对我来说有效。我能够创建这个堆栈。我只需要将join改为sub。
AWSTemplateFormatVersion: '2010-09-09'
Resources:
S3BucketTest:
Type: AWS::S3::Bucket
S3CURBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
PolicyDocument:
Statement:
- Action:
- 's3:ListBucket'
Resource:
- !Sub 'arn:aws:s3:::${S3BucketTest}'
- !Sub 'arn:aws:s3:::${S3BucketTest}/*'
Effect: Allow
Condition:
StringEquals:
'AWS:SourceAccount':
- 12334456676
Principal: '*'
Bucket: !Ref S3BucketTest
希望这对你有帮助。
英文:
This works for me. I was able to create the stack. I only had to change join to sub.
AWSTemplateFormatVersion: '2010-09-09'
Resources:
S3BucketTest:
Type: AWS::S3::Bucket
S3CURBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
PolicyDocument:
Statement:
- Action:
- 's3:ListBucket'
Resource:
- !Sub 'arn:aws:s3:::${S3BucketTest}'
- !Sub 'arn:aws:s3:::${S3BucketTest}/*'
Effect: Allow
Condition:
StringEquals:
'AWS:SourceAccount':
- 12334456676
Principal: '*'
Bucket: !Ref S3BucketTest
Hope this helps.
答案3
得分: 0
For multiple resources, try this:
Resource:
- 'arn:aws:s3::<demo-bucket>'
- 'arn:aws:s3::<demo-bucket>'
英文:
For multiple resources, try this:
<!-- language: lang-yaml -->
Resource:
- 'arn:aws:s3:::<demo-bucket>'
- 'arn:aws:s3:::<demo-bucket>'
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论