【发布时间】:2021-03-21 09:11:40
【问题描述】:
我正在尝试将账户 B 中的 Glue 中的一个虚拟文件放入账户 A 中的 S3 存储桶。S3 存储桶(测试存储桶)正在启用 AWS-KMS 加密并启用 aws/s3 托管密钥。
- 我在账户 A-S3 存储桶(测试存储桶)中添加了以下权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Deny PutObject if NOT using correct KMS Encryption Key",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "",
"s3:x-amz-server-side-encryption-aws-kms-key-id": "<ARN_KMS_ACCOUNT_A>"
}
}
},
{
"Sid": "Allow Glue Role in Application account to put objects in the S3 bucket",
"Effect": "Allow",
"Principal": {
"AWS": "<IAM_Glue_Role_ARN>"
},
"Action": [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::test-bucket",
"arn:aws:s3:::test-bucket/*"
]
},
{
"Sid": "Only allow writes to my bucket with bucket owner full control",
"Effect": "Allow",
"Principal": {
"AWS": "<IAM_Glue_Role_ARN>"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
- 为账户 B 中的 IAM Glue 角色添加了以下策略
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:Put*"
],
"Resource": "arn:aws:s3:::test-bucket*",
"Effect": "Allow"
},
{
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey"
],
"Resource": "<ARN_KMS_ACCOUNT_A>",
"Effect": "Allow"
}
]
}
这是我的胶水代码:
s3.put_object(
Bucket='output',
Key='_SUCCESS',
ServerSideEncryption='aws:kms',
SSEKMSKeyId='<ARN_KMS_ACCOUNT_A>'
)
从 Account B Glue 运行此代码时出现以下错误:
ClientError: An error occurred (KMS.NotFoundException) when calling the PutObject operation: Invalid arn ap-southeast-2
对此有什么想法吗?
【问题讨论】:
-
这真的有意义吗? "StringNotEquals": { "s3:x-amz-server-side-encryption": "",
标签: amazon-web-services amazon-s3 aws-glue amazon-kms