角色无权在KinesisStream上执行DescribeStream

问题描述 投票:0回答:1

我对S3和Kinesis流各有2条策略,其中包括DescribeStream。 S3策略运行良好,但我在KinesisPolicy中遇到此错误。

资源:

  • S3
  • KinesisStream
  • Firehose

角色:

  • FirehoseRole

政策:

  • S3策略具有以下权限:

          - 's3:AbortMultipartUpload'
      - 's3:GetBucketLocation'
      - 's3:GetObject'
      - 's3:ListBucket'
      - 's3:ListBucketMultipartUploads'
      - 's3:PutObject'

  • Kinesis策略具有以下权限:

          - 'kinesis:PutRecord'
      - 'kinesis:DescribeStreamSummary'
      - 'kinesis:PutRecords'
      - 'kinesis:GetShardIterator'
      - 'kinesis:GetRecords'
      - 'kinesis:DescribeStream'

错误:

该角色(firehoseRole)无权在MyKinesisStream上执行DescribeStream。

云形成模板

Resources:
  S3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      VersioningConfiguration:
        Status: Enabled

 firehoseRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: ''
            Effect: Allow
            Principal:
              Service: firehose.amazonaws.com
            Action: 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref 'AWS::AccountId'

  DeliveryPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: firehose_delivery_policy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - 's3:AbortMultipartUpload'
              - 's3:GetBucketLocation'
              - 's3:GetObject'
              - 's3:ListBucket'
              - 's3:ListBucketMultipartUploads'
              - 's3:PutObject'
            Resource:
              - !Sub 'arn:aws:s3:::${S3Bucket}'
              - !Sub 'arn:aws:s3:::${S3Bucket}*'
      Roles:
        - !Ref firehoseRole

  KinesisPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: kinesis_policy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action: 
              - 'kinesis:PutRecord'
              - 'kinesis:DescribeStreamSummary'
              - 'kinesis:PutRecords'
              - 'kinesis:GetShardIterator'
              - 'kinesis:GetRecords'
              - 'kinesis:DescribeStream'
            Resource:
              - !GetAtt MyKinesisStream.Arn
      Roles:
        - !Ref firehoseRole

  MyKinesisStream:
    Type: AWS::Kinesis::Stream
    Properties: 
      ShardCount: 1

  DeliveryStream:
    Type: AWS::KinesisFirehose::DeliveryStream
    Properties:
      DeliveryStreamType: KinesisStreamAsSource
      KinesisStreamSourceConfiguration:
        KinesisStreamARN: !GetAtt MyKinesisStream.Arn
        RoleARN: !GetAtt firehoseRole.Arn
      S3DestinationConfiguration:
        BucketARN: !GetAtt S3Bucket.Arn
        BufferingHints:
          IntervalInSeconds: 60
          SizeInMBs: 50
        CompressionFormat: UNCOMPRESSED
        Prefix: firehose/
        RoleARN: !GetAtt firehoseRole.Arn
amazon-web-services amazon-cloudformation
1个回答
0
投票

我能够解决该错误。我必须将DependsOn添加到DeliveryStream并包括两个策略。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.