无效资源和格式错误的策略错误 - aws cloudformation YAML答案

【问题标题】：Invalid Resource and malformed policy errors - aws cloudformation YAML无效资源和格式错误的策略错误 - aws cloudformation YAML
【发布时间】：2020-04-24 05:08:26
【问题描述】：

为 s3 存储桶添加存储桶策略。但是在 YAML 中定义它时遇到了多个问题。这是示例 -

 S3CURBucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - 's3:ListBucket'
            Resource: !Join [ '', ["arn:aws:s3:::", !Ref S3BucketTest]] 
            Effect: Allow
            Condition:
              StringEquals:
                'AWS:SourceAccount':
                  - 12334456676
            Principal: '*'
      Bucket: !Ref S3BucketTest

S3BucketTest是我在同一个cft中定义的s3 bucket的资源名称

S3BucketTest:
  Type: AWS::S3::Bucket

我能够毫无问题地创建 s3 存储桶，但存储桶策略给出错误。

对于上述yaml，它说资源名称无效。
如果我有多个操作并且我在 [] 中提及它们，则会引发无效操作和格式错误的策略错误。
我还想提及多个资源。

我本质上是想在 YAML 中复制这个 -

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "stmt_cross_acct_rs_Access",
            "Effect": "Allow",
            "Principal": {
                "AWS": ["arn:aws:iam::12345678:role/role_rs_1", "arn:aws:iam::12345678:root"]
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::<demo-bucket>",
                "arn:aws:s3:::<demo-bucket>/*"
            ]
        }
    ]
}

【问题讨论】：

标签： amazon-web-services yaml amazon-cloudformation

【解决方案1】：

假设您有一个“demobucket”作为存储桶资源或参数，那么上面的 JSON 在 YAML 中将如下所示：

    Version: 2012-10-17
    Statement: 
      - Sid: stmt_cross_acct_rs_Access
        Effect: Allow
        Principal:
          AWS: 
            - arn:aws:iam::12345678:role/role_rs_1
            - arn:aws:iam::12345678:root
        Action:
          - s3:GetBucketLocation
          - s3:GetObject
          - s3:ListBucket
          - s3:ListBucketMultipartUploads
          - s3:ListMultipartUploadParts
          - s3:AbortMultipartUpload
          - s3:PutObject
        Resource:
          - !Sub 'arn:aws:s3:::${demobucket}'
          - !Sub 'arn:aws:s3:::${demobucket}/*'

这是你应该为你拥有的 YAML 做的：

 S3CURBucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - 's3:ListBucket'
            Resource: !GetAtt S3BucketTest.Arn 
            Effect: Allow
            Condition:
              StringEquals:
                'AWS:SourceAccount':
                  - 12334456676
            Principal: '*'
      Bucket: !Ref S3BucketTest

【讨论】：

【解决方案2】：

这对我有用。我能够创建堆栈。我只需要将join 更改为sub。

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  S3BucketTest:
    Type: AWS::S3::Bucket
  S3CURBucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - 's3:ListBucket'
            Resource: 
              - !Sub 'arn:aws:s3:::${S3BucketTest}'
              - !Sub 'arn:aws:s3:::${S3BucketTest}/*'              
            Effect: Allow
            Condition:
              StringEquals:
                'AWS:SourceAccount':
                  - 12334456676
            Principal: '*'
      Bucket: !Ref S3BucketTest

希望这会有所帮助。

【讨论】：

过得怎么样，告诉我们

【解决方案3】：

对于多个资源，试试这个：

Resource:
  - 'arn:aws:s3:::<demo-bucket>'
  - 'arn:aws:s3:::<demo-bucket>'

【讨论】：