删除 S3 存储桶对象不适用于 Terraform 访问被拒绝

问题描述 投票:0回答:1

我正在尝试使用 Terraform 重命名 S3 存储桶,这将自动删除现有存储桶并重新创建一个新存储桶。我收到以下错误:

│ Error: emptying S3 Bucket (my-bucket): 
|   deleting S3 Bucket (my-vuxkwr) objects: 1000 errors occurred:
│ * deleting: S3 object (AWSLogs/123456789/elasticloadbalancing/us-west-2/2024/03/15/123456789_elasticloadbalancing_us-west-2_app.my-api.log.gz) version (abcde_fghij.klmno): 
| AccessDenied: Access Denied
# omitted the rest of the AccessDenied errors

这是我的 S3 存储桶配置:

data "aws_caller_identity" "current" {}
data "aws_elb_service_account" "main" {}

locals {
  bucket_arn  = "arn:aws:s3:::${var.bucket_name}"
}

resource "aws_s3_bucket" "main" {
  bucket = var.bucket_name

  force_destroy = true
  
  tags = var.tags
}

resource "aws_s3_bucket_logging" "main" {
  bucket = aws_s3_bucket.main.id

  target_bucket = var.s3_access_logs_bucket_name
  target_prefix = "${var.bucket_name}/"
}

resource "aws_s3_bucket_versioning" "main" {
  bucket = aws_s3_bucket.main.id

  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_server_side_encryption_configuration" "main" {
  bucket = aws_s3_bucket.main.id

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm     = "AES256"
    }
  }
}

resource "aws_s3_bucket_policy" "main" {
  bucket = aws_s3_bucket.main.id
  policy = data.aws_iam_policy_document.bucket_policy.json

  depends_on = [
    aws_s3_bucket.main
  ]
}

data "aws_iam_policy_document" "bucket_policy" {
  statement {
    sid = "RequireSSL"

    effect = "Deny"

    principals {
      type        = "*"
      identifiers = ["*"]
    }

    actions = ["s3:*"]

    resources = [
      local.bucket_arn,
      "${local.bucket_arn}/*",
    ]

    condition {
      test     = "Bool"
      variable = "aws:SecureTransport"
      values = [
        "false"
      ]
    }
  }

  statement {
    sid = "AwsElbServiceAccount"
    actions = [
      "s3:PutObject"
    ]
    resources = [
      "${aws_s3_bucket.main.arn}/*"
    ]
    principals {
      type        = "AWS"
      identifiers = [data.aws_elb_service_account.main.arn]
    }
  }
}

resource "aws_s3_bucket_ownership_controls" "main" {
  bucket = aws_s3_bucket.main.id

  rule {
    object_ownership = "BucketOwnerEnforced"
  }

  depends_on = [
    aws_s3_bucket.main
  ]
}

resource "aws_s3_bucket_public_access_block" "main" {
  bucket = aws_s3_bucket.main.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

以下是我当前角色的相关权限:

data "aws_iam_policy_document" "provision_s3_bucket" {
  statement {
    sid       = "S3Bucket"
    actions   = [
        "s3:DeleteObject", 
        "s3:DeleteObjects",
      ]
    resources = [
        "arn:aws:s3:::*",
      ]
  }
}

当我有权删除任何 S3 资源上的存储桶对象时,为什么会收到 AccessDenied 错误?

amazon-web-services amazon-s3 terraform
1个回答
0
投票

已解决:添加 

s3:DeleteObjectVersion
的权限(或仅 
s3:DeleteObject*

我一直在参考 AWS S3 API 操作来确定我需要哪些权限,唯一相关的 

DeleteObject
操作是我之前添加的两个操作。

显然,API 操作和权限并不总是具有 1:1 的相关性,因为操作(如 

DeleteObject
)有时会产生副作用(如 
DeleteObjectVersion
)。

来自 AWS API DeleteObject 文档页面

s3:DeleteObject
- 要从存储桶中删除对象,您必须始终拥有 s3:DeleteObject 权限。

s3:DeleteObjectVersion
- 删除对象的特定版本 从启用版本控制的存储桶中,您必须具有 
s3:DeleteObjectVersion
许可。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.