英文:
Serverless Framework: CREATE_FAILED: filesBucketPolicy (AWS::S3::BucketPolicy) API: s3:PutBucketPolicy Access Denied
问题
在使用Serverless框架创建S3存储桶时遇到了以下错误:
Error:
CREATE_FAILED: filesBucketPolicy (AWS::S3::BucketPolicy)
API: s3:PutBucketPolicy Access Denied
查看完整错误信息: https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stack/detail?stackId=arn%3Aaws%3Acloudformation%3Aus-east-1%3A429622143498%3Astack%2Fmy-store-files-s3-serverless-dev%2Ff12946d0-ec01-11ed-9b7d-0eca31e3dbdd
请问如何解决这个问题?期望的结果是创建S3存储桶,但实际获得的是访问拒绝错误。
英文:
Create S3 bucket with serverless framework get the error:
Error:
CREATE_FAILED: filesBucketPolicy (AWS::S3::BucketPolicy)
API: s3:PutBucketPolicy Access Denied
View the full error: https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stack/detail?stackId=arn%3Aaws%3Acloudformation%3Aus-east-1%3A429622143498%3Astack%2Fmy-store-files-s3-serverless-dev%2Ff12946d0-ec01-11ed-9b7d-0eca31e3dbdd
My Enviroment:
Environment: darwin, node 18.12.1, framework 3.30.1, plugin 6.2.3, SDK 4.3.2
Credentials: Local, "default" profile
Docs: docs.serverless.com
Support: forum.serverless.com
Bugs: github.com/serverless/serverless/issues
My serverless.yml code is:
service: my-store-files-s3-serverless
frameworkVersion: '3'
provider:
name: aws
runtime: nodejs18.x
iamRoleStatements:
- Effect: Allow
Action:
- s3:PutObject
- s3:PutObjectAcl
Resource: arn:aws:s3:::my-store-files-bucket/*
functions:
api:
handler: index.handler
events:
- httpApi:
path: /
method: get
resources:
Resources:
filesBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Delete
Properties:
BucketName: my-store-files-bucket
AccessControl: Private
filesBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
PolicyDocument:
Statement:
- Effect: Allow
Action:
- s3:GetObject
Resource: arn:aws:s3:::my-store-files-bucket/*
Principal: "*"
Bucket:
Ref: filesBucket
and I configure the serverless with IAM user credential AdminstratorAccess Policy.
Please how can I solve this problem.
what expected to happen is: Create Bucket in S3
What I get is:
Error:
CREATE_FAILED: filesBucketPolicy (AWS::S3::BucketPolicy)
API: s3:PutBucketPolicy Access Denied
答案1
得分: 0
Provider中的iamRoleStatements用于Lambda函数,请参见:Lambda函数的IAM权限。
看起来CloudFormation没有权限设置S3资源级策略。
英文:
iamRoleStatements in Provider are for Lambda functions, see: IAM Permissions For Functions
It looks like that CloudFormation does not have the permission to set S3 resource-level policy.
答案2
得分: 0
由于最近的一些更改,似乎我们需要添加更多行来使其工作。请参考下面的工作示例。
resources:
Resources:
ImagesBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: ${self:service}-s3-${sls:stage}
# Granting public access to bucket
PublicAccessBlockConfiguration:
BlockPublicAcls: false
BlockPublicPolicy: false
IgnorePublicAcls: false
RestrictPublicBuckets: false
ImagesBucketAllowPublicReadPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref ImagesBucket
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: AllowPublicReadAccess
Effect: Allow
Action:
- "s3:GetObject"
Resource:
- !Join ['/', [!GetAtt [ImagesBucket, Arn], '*']]
Principal: "*"
Condition:
Bool:
aws:SecureTransport: 'true'
请注意,我已经帮您翻译了代码部分,您可以在上面的示例中看到翻译后的内容。
英文:
Due to some recent changes seems like we have to add few more lines to make it work.
See the working example shown bellow.
resources:
Resources:
ImagesBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: ${self:service}-s3-${sls:stage}
# Granting public access to bucket
PublicAccessBlockConfiguration:
BlockPublicAcls: false
BlockPublicPolicy: false
IgnorePublicAcls: false
RestrictPublicBuckets: false
ImagesBucketAllowPublicReadPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref ImagesBucket
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: AllowPublicReadAccess
Effect: Allow
Action:
- "s3:GetObject"
Resource:
- !Join ['/', [!GetAtt [ImagesBucket, Arn], '*']]
Principal: "*"
Condition:
Bool:
aws:SecureTransport: 'true'
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论