2 
Access Denied for bucket: appdeploy-logbucket-1cca50r865s65. 
Please check S3bucket permission (Service: AmazonElasticLoadBalancingV2; Status Code: 400; Error Code: 
InvalidConfigurationRequest; Request ID: e5e2245f-2f9b-11e9-a3e9-2dcad78a31ec)

我想将我的 ALB 日志存储到 s3 存储桶,我已经向 s3 存储桶添加了策略,但它说访问被拒绝,我尝试了很多,并且使用了这么多配置,但它一次又一次地失败,我的堆栈回滚,我曾经Troposphere创建模板。

我已经尝试使用我的策略,但它不是工作。

BucketPolicy = t.add_resource(
    s3.BucketPolicy(
        "BucketPolicy",
        Bucket=Ref(LogBucket),
        PolicyDocument={
            "Id": "Policy1550067507528",
            "Version": "2012-10-17",
            "Statement": [
              {
                   "Sid": "Stmt1550067500750",
                   "Action": [
                    "s3:PutObject",
                    "s3:PutBucketAcl",
                    "s3:PutBucketLogging",
                    "s3:PutBucketPolicy"
                   ],
                   "Effect": "Allow",
                   "Resource": Join("", [
                     "arn:aws:s3:::",
                     Ref(LogBucket),
                     "/AWSLogs/",
                     Ref("AWS::AccountId"),
                     "/*"]),
                   "Principal": {"AWS": "027434742980"},
              }
            ],
            },
    ))

有什么帮助吗?

4

2 回答 2

3

对流层/堆栈器维护者在这里。我们有一个堆栈器蓝图(它是对流层模板的包装器),我们在工作中用于我们的日志存储桶:

from troposphere import Sub
from troposphere import s3

from stacker.blueprints.base import Blueprint

from awacs.aws import (
    Statement, Allow, Policy, AWSPrincipal
)
from awacs.s3 import PutObject


class LoggingBucket(Blueprint):
    VARIABLES = {
        "ExpirationInDays": {
            "type": int,
            "description": "Number of days to keep logs around for",
        },
        # See the table here for account ids.
        # https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html#attach-bucket-policy
        "AWSAccountId": {
            "type": str,
            "description": "The AWS account ID to allow access to putting "
                           "logs in this bucket.",
            "default": "797873946194"  # us-west-2
        },
    }

    def create_template(self):
        t = self.template
        variables = self.get_variables()

        bucket = t.add_resource(
            s3.Bucket(
                "Bucket",
                LifecycleConfiguration=s3.LifecycleConfiguration(
                    Rules=[
                        s3.LifecycleRule(
                            Status="Enabled",
                            ExpirationInDays=variables["ExpirationInDays"]
                        )
                    ]
                )
            )
        )

        # Give ELB access to PutObject in the bucket.
        t.add_resource(
            s3.BucketPolicy(
                "BucketPolicy",
                Bucket=bucket.Ref(),
                PolicyDocument=Policy(
                    Statement=[
                        Statement(
                            Effect=Allow,
                            Action=[PutObject],
                            Principal=AWSPrincipal(variables["AWSAccountId"]),
                            Resource=[Sub("arn:aws:s3:::${Bucket}/*")]
                        )
                    ]
                )
            )
        )

        self.add_output("BucketId", bucket.Ref())
        self.add_output("BucketArn", bucket.GetAtt("Arn"))

希望这会有所帮助!

于 2019-02-13T23:03:04.077 回答
0

CloudFormation 模板中的主体错误。您应该使用适合您所在区域的委托人 AWS 账户 ID。在本文档中查找正确的值:

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-logging-bucket-permissions

此外,您可以缩小您的行动范围。如果只想将 ALB 日志推送到 S3,只需要:

        Action: s3:PutObject

这是一个有效的示例 BucketPolicy Cloudformation(您可以轻松地将其转换为对流层 PolicyDocument 元素):

Resources:

  # Create an S3 logs bucket
  ALBLogsBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub "my-logs-${AWS::AccountId}"
      AccessControl: LogDeliveryWrite
      LifecycleConfiguration:
        Rules:
          - Id: ExpireLogs
            ExpirationInDays: 365
            Status: Enabled
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
    DeletionPolicy: Retain

  # Grant access for the load balancer to write the logs
  # For the magic number 127311923021, refer to https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-logging-bucket-permissions
  ALBLoggingBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref ALBLogsBucket
      PolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              AWS: 127311923021 # Elastic Load Balancing Account ID for us-east-1
            Action: s3:PutObject
            Resource: !Sub "arn:aws:s3:::my-logs-${AWS::AccountId}/*"
于 2021-04-30T00:13:10.970 回答