Invalid Resource and malformed policy errors – aws cloudformation YAML

huangapple go评论160阅读模式
英文:

Invalid Resource and malformed policy errors - aws cloudformation YAML

问题

I can help you translate the JSON policy into YAML. Here's the equivalent YAML representation:

S3CURBucketPolicy:
  Type: 'AWS::S3::BucketPolicy'
  Properties:
    PolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Sid: stmt_cross_acct_rs_Access
          Effect: Allow
          Principal:
            AWS:
              - arn:aws:iam::12345678:role/role_rs_1
              - arn:aws:iam::12345678:root
          Action:
            - 's3:GetBucketLocation'
            - 's3:GetObject'
            - 's3:ListBucket'
            - 's3:ListBucketMultipartUploads'
            - 's3:ListMultipartUploadParts'
            - 's3:AbortMultipartUpload'
            - 's3:PutObject'
          Resource:
            - !Join [ '', ['arn:aws:s3:::', !Ref S3BucketTest] ]
            - !Join [ '', ['arn:aws:s3:::', !Ref S3BucketTest, '/*'] ]
    Bucket: !Ref S3BucketTest

S3BucketTest:
  Type: AWS::S3::Bucket

This YAML configuration replicates the provided JSON policy using AWS CloudFormation syntax.

英文:

Addig bucketpolicy for a s3 Bucket. But am running into multiple problems defining it in YAML. Here is the sample -

 S3CURBucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - 's3:ListBucket'
            Resource: !Join [ '', ["arn:aws:s3:::", !Ref S3BucketTest]] 
            Effect: Allow
            Condition:
              StringEquals:
                'AWS:SourceAccount':
                  - 12334456676
            Principal: '*'
      Bucket: !Ref S3BucketTest

S3BucketTest is the resource name of s3 bucket I defined in the same cft

S3BucketTest:
  Type: AWS::S3::Bucket

I was able to create s3 bucket without any issues, but the bucketpolicy giving errors.

  1. For the above yaml, it says that resource name is invalid.
  2. If I have multiple Actions and I mention them in [], it throws invalid Acttions and malformed policy error.
  3. I alo want to mention multiple resources.

I am essentially looking to replicatee this in YAML -

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "stmt_cross_acct_rs_Access",
            "Effect": "Allow",
            "Principal": {
                "AWS": ["arn:aws:iam::12345678:role/role_rs_1", "arn:aws:iam::12345678:root"]
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::<demo-bucket>",
                "arn:aws:s3:::<demo-bucket>/*"
            ]
        }
    ]
}

答案1

得分: 1

假设您已经有一个名为'demobucket'的存储桶资源或参数,上面的JSON在YAML中将如下所示:

Version: 2012-10-17
Statement:
  - Sid: stmt_cross_acct_rs_Access
    Effect: Allow
    Principal:
      AWS:
        - arn:aws:iam::12345678:role/role_rs_1
        - arn:aws:iam::12345678:root
    Action:
      - s3:GetBucketLocation
      - s3:GetObject
      - s3:ListBucket
      - s3:ListBucketMultipartUploads
      - s3:ListMultipartUploadParts
      - s3:AbortMultipartUpload
      - s3:PutObject
    Resource:
      - !Sub 'arn:aws:s3:::${demobucket}'
      - !Sub 'arn:aws:s3:::${demobucket}/*'

对于您提供的YAML,应该这样处理:

S3CURBucketPolicy:
  Type: 'AWS::S3::BucketPolicy'
  Properties:
    PolicyDocument:
      Statement:
        - Action:
            - 's3:ListBucket'
          Resource: !GetAtt S3BucketTest.Arn
          Effect: Allow
          Condition:
            StringEquals:
              'AWS:SourceAccount':
                - 12334456676
          Principal: '*'
    Bucket: !Ref S3BucketTest
英文:

Assuming you have a 'demobucket' as either a bucket resource or a parameter, the JSON above would look like this in YAML:

    Version: 2012-10-17
    Statement: 
      - Sid: stmt_cross_acct_rs_Access
        Effect: Allow
        Principal:
          AWS: 
            - arn:aws:iam::12345678:role/role_rs_1
            - arn:aws:iam::12345678:root
        Action:
          - s3:GetBucketLocation
          - s3:GetObject
          - s3:ListBucket
          - s3:ListBucketMultipartUploads
          - s3:ListMultipartUploadParts
          - s3:AbortMultipartUpload
          - s3:PutObject
        Resource:
          - !Sub 'arn:aws:s3:::${demobucket}'
          - !Sub 'arn:aws:s3:::${demobucket}/*'

This is what you should do for the YAML you had:

 S3CURBucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - 's3:ListBucket'
            Resource: !GetAtt S3BucketTest.Arn 
            Effect: Allow
            Condition:
              StringEquals:
                'AWS:SourceAccount':
                  - 12334456676
            Principal: '*'
      Bucket: !Ref S3BucketTest

答案2

得分: 1

这对我来说有效。我能够创建这个堆栈。我只需要将join改为sub

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  S3BucketTest:
    Type: AWS::S3::Bucket
  S3CURBucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - 's3:ListBucket'
            Resource: 
              - !Sub 'arn:aws:s3:::${S3BucketTest}'
              - !Sub 'arn:aws:s3:::${S3BucketTest}/*'              
            Effect: Allow
            Condition:
              StringEquals:
                'AWS:SourceAccount':
                  - 12334456676
            Principal: '*'
      Bucket: !Ref S3BucketTest

希望这对你有帮助。

英文:

This works for me. I was able to create the stack. I only had to change join to sub.

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  S3BucketTest:
    Type: AWS::S3::Bucket
  S3CURBucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - 's3:ListBucket'
            Resource: 
              - !Sub 'arn:aws:s3:::${S3BucketTest}'
              - !Sub 'arn:aws:s3:::${S3BucketTest}/*'              
            Effect: Allow
            Condition:
              StringEquals:
                'AWS:SourceAccount':
                  - 12334456676
            Principal: '*'
      Bucket: !Ref S3BucketTest

Hope this helps.

答案3

得分: 0

For multiple resources, try this:

Resource:
  - 'arn:aws:s3::<demo-bucket>'
  - 'arn:aws:s3::<demo-bucket>'
英文:

For multiple resources, try this:

<!-- language: lang-yaml -->

Resource:
  - &#39;arn:aws:s3:::&lt;demo-bucket&gt;&#39;
  - &#39;arn:aws:s3:::&lt;demo-bucket&gt;&#39;

huangapple
  • 本文由 发表于 2020年1月7日 00:37:59
  • 转载请务必保留本文链接:https://go.coder-hub.com/59615784.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定