我正在尝试使用 Terraform 重命名 S3 存储桶,这将自动删除现有存储桶并重新创建一个新存储桶。我收到以下错误:
│ Error: emptying S3 Bucket (my-bucket):
| deleting S3 Bucket (my-vuxkwr) objects: 1000 errors occurred:
│ * deleting: S3 object (AWSLogs/123456789/elasticloadbalancing/us-west-2/2024/03/15/123456789_elasticloadbalancing_us-west-2_app.my-api.log.gz) version (abcde_fghij.klmno):
| AccessDenied: Access Denied
# omitted the rest of the AccessDenied errors
这是我的 S3 存储桶配置:
data "aws_caller_identity" "current" {}
data "aws_elb_service_account" "main" {}
locals {
bucket_arn = "arn:aws:s3:::${var.bucket_name}"
}
resource "aws_s3_bucket" "main" {
bucket = var.bucket_name
force_destroy = true
tags = var.tags
}
resource "aws_s3_bucket_logging" "main" {
bucket = aws_s3_bucket.main.id
target_bucket = var.s3_access_logs_bucket_name
target_prefix = "${var.bucket_name}/"
}
resource "aws_s3_bucket_versioning" "main" {
bucket = aws_s3_bucket.main.id
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_bucket_server_side_encryption_configuration" "main" {
bucket = aws_s3_bucket.main.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
resource "aws_s3_bucket_policy" "main" {
bucket = aws_s3_bucket.main.id
policy = data.aws_iam_policy_document.bucket_policy.json
depends_on = [
aws_s3_bucket.main
]
}
data "aws_iam_policy_document" "bucket_policy" {
statement {
sid = "RequireSSL"
effect = "Deny"
principals {
type = "*"
identifiers = ["*"]
}
actions = ["s3:*"]
resources = [
local.bucket_arn,
"${local.bucket_arn}/*",
]
condition {
test = "Bool"
variable = "aws:SecureTransport"
values = [
"false"
]
}
}
statement {
sid = "AwsElbServiceAccount"
actions = [
"s3:PutObject"
]
resources = [
"${aws_s3_bucket.main.arn}/*"
]
principals {
type = "AWS"
identifiers = [data.aws_elb_service_account.main.arn]
}
}
}
resource "aws_s3_bucket_ownership_controls" "main" {
bucket = aws_s3_bucket.main.id
rule {
object_ownership = "BucketOwnerEnforced"
}
depends_on = [
aws_s3_bucket.main
]
}
resource "aws_s3_bucket_public_access_block" "main" {
bucket = aws_s3_bucket.main.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
以下是我当前角色的相关权限:
data "aws_iam_policy_document" "provision_s3_bucket" {
statement {
sid = "S3Bucket"
actions = [
"s3:DeleteObject",
"s3:DeleteObjects",
]
resources = [
"arn:aws:s3:::*",
]
}
}
当我有权删除任何 S3 资源上的存储桶对象时,为什么会收到 AccessDenied 错误?
已解决:添加
s3:DeleteObjectVersion
的权限(或仅 s3:DeleteObject*
)
我一直在参考 AWS S3 API 操作来确定我需要哪些权限,唯一相关的
DeleteObject
操作是我之前添加的两个操作。
显然,API 操作和权限并不总是具有 1:1 的相关性,因为操作(如
DeleteObject
)有时会产生副作用(如 DeleteObjectVersion
)。
- 要从存储桶中删除对象,您必须始终拥有 s3:DeleteObject 权限。s3:DeleteObject
- 删除对象的特定版本 从启用版本控制的存储桶中,您必须具有s3:DeleteObjectVersion
许可。s3:DeleteObjectVersion