【问题标题】:Why am I getting an the following error? "Error putting S3 policy: MalformedPolicy: Policy has invalid action"为什么我收到以下错误? “放置 S3 策略时出错:MalformedPolicy:策略的操作无效”
【发布时间】:2021-11-14 05:01:11
【问题描述】:

我正在按照指南 here 允许将日志写入 s3。

“使用以下访问策略使 Kinesis Data Firehose 能够访问您的 S3 存储桶和 AWS KMS 密钥。如果您不拥有 S3 存储桶,请将 s3:PutObjectAcl 添加到 Amazon S3 操作列表中。这会授予存储桶拥有对 Kinesis Data Firehose 交付的对象的完全访问权限。"

{
"Version": "2012-10-17",  
"Statement":
[    
    {      
        "Effect": "Allow",      
        "Action": [
            "s3:AbortMultipartUpload",
            "s3:GetBucketLocation",
            "s3:GetObject",
            "s3:ListBucket",
            "s3:ListBucketMultipartUploads",
            "s3:PutObject"
        ],      
        "Resource": [        
            "arn:aws:s3:::bucket-name",
            "arn:aws:s3:::bucket-name/*"            
        ]    
    },        
    {
        "Effect": "Allow",
        "Action": [
            "kinesis:DescribeStream",
            "kinesis:GetShardIterator",
            "kinesis:GetRecords",
            "kinesis:ListShards"
        ],
        "Resource": "arn:aws:kinesis:region:account-id:stream/stream-name"
    },
    {
       "Effect": "Allow",
       "Action": [
           "kms:Decrypt",
           "kms:GenerateDataKey"
       ],
       "Resource": [
           "arn:aws:kms:region:account-id:key/key-id"           
       ],
       "Condition": {
           "StringEquals": {
               "kms:ViaService": "s3.region.amazonaws.com"
           },
           "StringLike": {
               "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::bucket-name/prefix*"
           }
       }
    },
    {
       "Effect": "Allow",
       "Action": [
           "logs:PutLogEvents"
       ],
       "Resource": [
           "arn:aws:logs:region:account-id:log-group:log-group-name:log-stream:log-stream-name"
       ]
    },
    {
       "Effect": "Allow", 
       "Action": [
           "lambda:InvokeFunction", 
           "lambda:GetFunctionConfiguration" 
       ],
       "Resource": [
           "arn:aws:lambda:region:account-id:function:function-name:function-version"
       ]
    }
]

}

具体来说,我看到错误的块如下(我已经包含了主体,因为这是必需的):

    {
        "Effect": "Allow",
        "Principal": {
            "AWS": [
                "${account_id}"
            ]
        },
        "Action": [
            "kinesis:DescribeStream",
            "kinesis:GetShardIterator",
            "kinesis:GetRecords",
            "kinesis:ListShards"
        ],
        "Resource": "arn:aws:kinesis:${region}:${account_id}:stream/*"
    },

但是当我尝试将策略应用到 s3 存储桶时,我得到以下信息:

Error: Error putting S3 policy: MalformedPolicy: Policy has invalid action

│状态码:400,请求id:xxxxxxxxxxxxxxx,主机id:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx │

为什么会出现这个错误?

【问题讨论】:

  • 您实际上是按原样使用链接文档中给出的示例策略还是使用它的更改版本。您能否发布您尝试应用的完整政策,而不仅仅是 sn-p?

标签: amazon-web-services amazon-kinesis amazon-kinesis-firehose


【解决方案1】:

这个块:

{
    "Effect": "Allow",
    "Action": [
        "kinesis:DescribeStream",
        "kinesis:GetShardIterator",
        "kinesis:GetRecords",
        "kinesis:ListShards"
    ],
    "Resource": "arn:aws:kinesis:region:account-id:stream/stream-name"
},

表示要对 Kinesis 数据流而非 Kinesis 传送流执行的操作。这是 AWS 文档中的错误。如果您没有从数据流中提供传输流,则可以删除此块。

【讨论】:

    【解决方案2】:

    链接的 AWS 文档中给出的策略应附加到与 kinesis firehose 关联的 IAM 角色。

    S3 存储桶策略是基于资源的策略。在基于资源的策略中,您可以指定仅与该特定资源相关的操作(在本例中为 S3 存储桶)。但由于您尝试将 kinesis 数据流操作添加到 S3 存储桶策略,因此您会收到“无效操作”错误

    【讨论】:

      猜你喜欢
      • 2021-09-02
      • 2022-01-01
      • 1970-01-01
      • 2012-11-18
      • 2018-05-22
      • 2018-05-20
      • 1970-01-01
      • 2013-10-30
      • 2021-01-01
      相关资源
      最近更新 更多