创建 IAM 策略示例_策略时出错：MalformedPolicyDocument：策略文档不应指定委托人

Question

我正在尝试创建存储桶策略以授予 CloudFront 源访问身份 (OAI) 权限以获取（读取）您的 Amazon S3 存储桶中的所有对象。 但我面临这个错误，因为“发生错误：

 Error: error creating IAM policy example_policy: MalformedPolicyDocument: Policy document should not specify a principal.
│       status code: 400, request id: 95044f55-e4bf-403e-8233-95964ffe09d1
│
│   with module.iam.aws_iam_policy.s3Frontend,
│   on ..\modules\iam\resources.tf line 65, in resource "aws_iam_policy" "s3Frontend":
│   65: resource "aws_iam_policy" "s3Frontend" {

data "aws_iam_policy_document" "s3Frontend" {
  version = "2012-10-17"
  statement {
    effect = "Allow"
    actions = [
      "s3:GetObject",
      "s3:ListBucket"
    ]
    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity $MYID"] # 
    }
    resources = [ "arn:aws:s3:::WebSitefrontend/*" ]  
  }
} 

resource "aws_iam_policy" "s3Frontend" {
  name   = "example_policy"
  path   = "/"
  policy = data.aws_iam_policy_document.s3Frontend.json
}

output "s3FrontendId" {
    description     = "IDs of frontend deploy artifect on s3"
    value           = aws_iam_policy.s3-Frontend.id
} 

感谢您的帮助。

Answer 1

错误MalformedPolicyDocument: Policy document should not specify a principal指的是在resource "aws_iam_policy"中创建的IAM identity-based policy，不能包含principal。

您正在尝试创建基于 S3 存储桶资源的策略，该策略可用于 aws_s3_bucket_policy Terraform 资源。示例用法：

resource "aws_s3_bucket_policy" "s3Frontend" {
  bucket = aws_s3_bucket.WebSitefrontend.id
  policy = data.aws_iam_policy_document.s3Frontend.json
}