1

我正在尝试使用 cdk 创建自定义资源以向存储桶添加库存配置,我正在调用 putBucketInventoryConfiguration() - https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#putBucketInventoryConfiguration-property 但我正在获得目标存储桶的拒绝访问策略-

        config_inventory_role.add_to_policy(iam.PolicyStatement(
        effect=iam.Effect.ALLOW,
        resources=[f'{config_inventory_bucket.bucket_arn}/*'],
        actions=['s3:PutObject'],
        conditions={"ArnLike": {
            "aws:SourceArn": config_upload_bucket.bucket_arn
        },
            "StringEquals": {
            "aws:SourceAccount": [
                kwargs["env"]["aws"]["account"]
            ],
            "s3:x-amz-acl": "bucket-owner-full-control"
        }
        }
    ))


(iotsysteminventoryc231de866a82512a9a84151e276042845F52818C) Failed to create resource. Access Denied

[2020-06-15T08:23:51.589Z]  new CustomResource (/tmp/jsii-kernel-ymFU82/node_modules/@aws-cdk/core/lib/custom-resource.js:23:25)

[2020-06-15T08:23:51.589Z]  \_ new AwsCustomResource (/tmp/jsii-kernel-ymFU82/node_modules/@aws-cdk/custom-resources/lib/aws-custom-resource/aws-custom-resource.js:130:31)

[2020-06-15T08:23:51.589Z]  \_ /usr/local/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7853:49

[2020-06-15T08:23:51.589Z]  \_ Kernel._wrapSandboxCode (/usr/local/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8313:20)

[2020-06-15T08:23:51.589Z]  \_ Kernel._create (/usr/local/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7853:26)

[2020-06-15T08:23:51.589Z]  \_ Kernel.create (/usr/local/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7600:21)

[2020-06-15T08:23:51.589Z]  \_ KernelHost.processRequest (/usr/local/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7388:28)

[2020-06-15T08:23:51.589Z]  \_ KernelHost.run (/usr/local/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7328:14)

[2020-06-15T08:23:51.589Z]  \_ Immediate._onImmediate (/usr/local/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7331:37)

[2020-06-15T08:23:51.589Z]  \_ processImmediate (internal/timers.js:439:21)
4

1 回答 1

0

我正面临完全相同的问题,您找到解决方案了吗?

new AwsCustomResource(this, 'ExportTaskDefToS3', {
   onUpdate: {
      service: 'S3',
      action: 'putObject',
      parameters: {
        ...s3params
      },
      physicalResourceId: PhysicalResourceId.of('ExportTaskDefToS3')
   },
   policy: AwsCustomResourcePolicy.fromStatements([
    new PolicyStatement({
      actions: ["s3:*"],
      resources: [`${props.sourceBucketArn}/*`],
    }),
  ])
});

找到我的问题的解决方案->

我正在创建的自定义资源在账户 B 中。S3 存储桶在账户 A 中。我必须更新账户 A 中的 S3 存储桶策略。

{“版本”:“2012-10-17”,“声明”:[{“效果”:“允许”,“主体”:{“AWS”:“arn:aws:iam::AccountB:user/AccountBUserName” }、“操作”:[“s3:GetObject”、“s3:PutObject”、“s3:PutObjectAcl”]、“资源”:[“arn:aws:s3:::AccountABucketName/*”] } ] }

于 2020-07-10T06:38:43.120 回答