Serverless Framework: CREATE_FAILED: filesBucketPolicy (AWS::S3::BucketPolicy) API: s3:PutBucketPolicy Access Denied

huangapple go评论120阅读模式
英文:

Serverless Framework: CREATE_FAILED: filesBucketPolicy (AWS::S3::BucketPolicy) API: s3:PutBucketPolicy Access Denied

问题

在使用Serverless框架创建S3存储桶时遇到了以下错误:

Error:
CREATE_FAILED: filesBucketPolicy (AWS::S3::BucketPolicy)
API: s3:PutBucketPolicy Access Denied

查看完整错误信息: https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stack/detail?stackId=arn%3Aaws%3Acloudformation%3Aus-east-1%3A429622143498%3Astack%2Fmy-store-files-s3-serverless-dev%2Ff12946d0-ec01-11ed-9b7d-0eca31e3dbdd

请问如何解决这个问题?期望的结果是创建S3存储桶,但实际获得的是访问拒绝错误。

英文:

Create S3 bucket with serverless framework get the error:

Error:
CREATE_FAILED: filesBucketPolicy (AWS::S3::BucketPolicy)
API: s3:PutBucketPolicy Access Denied

View the full error: https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stack/detail?stackId=arn%3Aaws%3Acloudformation%3Aus-east-1%3A429622143498%3Astack%2Fmy-store-files-s3-serverless-dev%2Ff12946d0-ec01-11ed-9b7d-0eca31e3dbdd

My Enviroment:

Environment: darwin, node 18.12.1, framework 3.30.1, plugin 6.2.3, SDK 4.3.2
Credentials: Local, "default" profile
Docs:        docs.serverless.com
Support:     forum.serverless.com
Bugs:        github.com/serverless/serverless/issues

My serverless.yml code is:

service: my-store-files-s3-serverless
frameworkVersion: '3'

provider:
  name: aws
  runtime: nodejs18.x

  iamRoleStatements:
    - Effect: Allow
      Action:
        - s3:PutObject
        - s3:PutObjectAcl
      Resource: arn:aws:s3:::my-store-files-bucket/*


functions:
  api:
    handler: index.handler
    events:
      - httpApi:
          path: /
          method: get

resources:
  Resources:
    filesBucket:
      Type: AWS::S3::Bucket
      DeletionPolicy: Delete
      Properties:
        BucketName: my-store-files-bucket
        AccessControl: Private
    filesBucketPolicy:
      Type: AWS::S3::BucketPolicy
      Properties:
        PolicyDocument:
          Statement:
            - Effect: Allow
              Action:
                - s3:GetObject
              Resource: arn:aws:s3:::my-store-files-bucket/*
              Principal: "*"
        Bucket:
          Ref: filesBucket

and I configure the serverless with IAM user credential AdminstratorAccess Policy.

Please how can I solve this problem.

what expected to happen is: Create Bucket in S3

What I get is:

Error:
CREATE_FAILED: filesBucketPolicy (AWS::S3::BucketPolicy)
API: s3:PutBucketPolicy Access Denied

答案1

得分: 0

Provider中的iamRoleStatements用于Lambda函数,请参见:Lambda函数的IAM权限

看起来CloudFormation没有权限设置S3资源级策略。

英文:

iamRoleStatements in Provider are for Lambda functions, see: IAM Permissions For Functions

It looks like that CloudFormation does not have the permission to set S3 resource-level policy.

答案2

得分: 0

由于最近的一些更改,似乎我们需要添加更多行来使其工作。请参考下面的工作示例。

resources:
  Resources:
    ImagesBucket:
      Type: AWS::S3::Bucket
      Properties:
        BucketName: ${self:service}-s3-${sls:stage}
        
        # Granting public access to bucket
        PublicAccessBlockConfiguration:
          BlockPublicAcls: false
          BlockPublicPolicy: false
          IgnorePublicAcls: false
          RestrictPublicBuckets: false
    ImagesBucketAllowPublicReadPolicy:
      Type: AWS::S3::BucketPolicy
      Properties:
        Bucket: !Ref ImagesBucket
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Sid: AllowPublicReadAccess
              Effect: Allow
              Action:
                - "s3:GetObject"
              Resource:
                - !Join ['/', [!GetAtt [ImagesBucket, Arn], '*']]
              Principal: "*"
              Condition:
                Bool:
                  aws:SecureTransport: 'true'

请注意,我已经帮您翻译了代码部分,您可以在上面的示例中看到翻译后的内容。

英文:

Due to some recent changes seems like we have to add few more lines to make it work.
See the working example shown bellow.

resources:
  Resources:
    ImagesBucket: 
      Type: AWS::S3::Bucket
      Properties:
        BucketName: ${self:service}-s3-${sls:stage}

        # Granting public access to bucket
        PublicAccessBlockConfiguration:
          BlockPublicAcls: false
          BlockPublicPolicy: false
          IgnorePublicAcls: false
          RestrictPublicBuckets: false
    ImagesBucketAllowPublicReadPolicy:
      Type: AWS::S3::BucketPolicy
      Properties:
        Bucket: !Ref ImagesBucket
        PolicyDocument:
          Version: "2012-10-17"
          Statement: 
            - Sid: AllowPublicReadAccess
              Effect: Allow
              Action: 
                - "s3:GetObject"
              Resource: 
                - !Join ['/', [!GetAtt [ImagesBucket, Arn], '*']]
              Principal: "*"    
              Condition:
                Bool:
                  aws:SecureTransport: 'true'

huangapple
  • 本文由 发表于 2023年5月6日 19:48:10
  • 转载请务必保留本文链接:https://go.coder-hub.com/76188702.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定