允许CloudFront使用原始访问标识访问S3存储桶

Question

允许CloudFront使用原始访问标识访问S3存储桶

7

我已经制作了一个静态网站托管在S3存储桶中，并通过CloudFront进行服务。我想限制仅通过Origin Access Identity从CloudFront直接访问存储桶。

我尝试更新S3存储桶策略，但是出现错误：

Error putting S3 policy: MalformedPolicy: Invalid principal in policy status code: 400, request id

我正在尝试使用以下策略：

resource "aws_s3_bucket_policy" "default" {
  bucket = "${aws_s3_bucket.default.id}"
  policy = <<EOF
  {
"Version": "2008-10-17",
"Statement": [
    {
        "Sid": "2",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${aws_cloudfront_origin_access_identity.origin_access_identity.id}"
        },
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::$/*"
    }
  ]
}
EOF 
}

- Obivan

1个回答

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- ydaetskcoR · Accepted Answer

如[aws_cloudfront_origin_access_identity文档]1中所述，最好的方法是使用aws_iam_policy_document数据源生成IAM策略文件，然后直接附加。

一个示例可能看起来像这样：

data "aws_iam_policy_document" "s3_policy" {
  statement {
    actions   = ["s3:GetObject"]
    resources = ["${module.names.s3_endpoint_arn_base}/*"]

    principals {
      type        = "AWS"
      identifiers = ["${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"]
    }
  }

  statement {
    actions   = ["s3:ListBucket"]
    resources = ["${module.names.s3_endpoint_arn_base}"]

    principals {
      type        = "AWS"
      identifiers = ["${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"]
    }
  }
}

resource "aws_s3_bucket" "bucket" {
  # ...
  policy = "${data.aws_iam_policy_document.s3_policy.json}"
}

如果您真的想像问题中那样手工编写IAM策略，那么您只需要像这样做：

resource "aws_s3_bucket_policy" "default" {
  bucket = "${aws_s3_bucket.default.id}"
  policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
    {
        "Sid": "2",
        "Effect": "Allow",
        "Principal": {
            "AWS": "${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"
        },
        "Action": "s3:*",
        "Resource": "${aws_s3_bucket.default.arn}""
    }
  ]
}
EOF 
}