【发布时间】:2021-11-14 05:01:11
【问题描述】:
我正在按照指南 here 允许将日志写入 s3。
“使用以下访问策略使 Kinesis Data Firehose 能够访问您的 S3 存储桶和 AWS KMS 密钥。如果您不拥有 S3 存储桶,请将 s3:PutObjectAcl 添加到 Amazon S3 操作列表中。这会授予存储桶拥有对 Kinesis Data Firehose 交付的对象的完全访问权限。"
{
"Version": "2012-10-17",
"Statement":
[
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
},
{
"Effect": "Allow",
"Action": [
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kinesis:ListShards"
],
"Resource": "arn:aws:kinesis:region:account-id:stream/stream-name"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:region:account-id:key/key-id"
],
"Condition": {
"StringEquals": {
"kms:ViaService": "s3.region.amazonaws.com"
},
"StringLike": {
"kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::bucket-name/prefix*"
}
}
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:region:account-id:log-group:log-group-name:log-stream:log-stream-name"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:GetFunctionConfiguration"
],
"Resource": [
"arn:aws:lambda:region:account-id:function:function-name:function-version"
]
}
]
}
具体来说,我看到错误的块如下(我已经包含了主体,因为这是必需的):
{
"Effect": "Allow",
"Principal": {
"AWS": [
"${account_id}"
]
},
"Action": [
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kinesis:ListShards"
],
"Resource": "arn:aws:kinesis:${region}:${account_id}:stream/*"
},
但是当我尝试将策略应用到 s3 存储桶时,我得到以下信息:
Error: Error putting S3 policy: MalformedPolicy: Policy has invalid action
│状态码:400,请求id:xxxxxxxxxxxxxxx,主机id:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx │
为什么会出现这个错误?
【问题讨论】:
-
您实际上是按原样使用链接文档中给出的示例策略还是使用它的更改版本。您能否发布您尝试应用的完整政策,而不仅仅是 sn-p?
标签: amazon-web-services amazon-kinesis amazon-kinesis-firehose