1. 首页
  2. 问答
  3. CloudFormation BucketPolicy停留在CREATE。从未完成CREATE

CloudFormation BucketPolicy停留在CREATE。从未完成CREATE

2017-01-09 31 views
0

Cloud使用用户,用户访问密钥和策略形成S3存储桶。它应该创建堆栈并输出通过SDK与创建的S3存储区一起工作所需的用户访问密钥。当尝试引用BucketPolicy Principal中的BucketUser ARN时,桶策略永远停留在CREATING阶段。CloudFormation BucketPolicy停留在CREATE。从未完成CREATE

CloudFormation是成功的

BucketPolicy: ... Principal: "*"

但BucketPolicy资源是停留在与

BucketPolicy: ... Principal: !GetAtt BucketUser.Arn

永远创建这个成功返回BucketUser.Arn时BucketPolicy: ... Principal: "*"

Outputs: 
    BucketUserArn: 
    Value: !GetAtt BucketUser.Arn

所需的模板:

AWSTemplateFormatVersion: "2010-09-09" 
Description: "Creates bucket with bucket policy" 
#Metadata: 
Parameters: 
    app: 
    Type: String 
    Description: (required) Application name (Also used for bucket name. Follow S3 bucket name conventions) 
    Default: ymessage-bucket-test 
Resources: 
    BucketUser: 
    Type: "AWS::IAM::User" 
    Properties: 
     UserName: !Ref app 
    UserAccessKey: 
    Type: "AWS::IAM::AccessKey" 
    Properties: 
     Status: Active 
     UserName: !Ref app 
    DependsOn: BucketUser 
    Bucket: 
    Type: AWS::S3::Bucket 
    Properties: 
     BucketName: !Ref app 
    BucketPolicy: 
     Type: "AWS::S3::BucketPolicy" 
     Properties: 
     Bucket: !Ref app 
     PolicyDocument: 
      Statement: 
      - 
       Action: 
       - "s3:*" 
       Effect: "Allow" 
       Resource: 
       Fn::Join: 
        - "" 
        - 
        - "arn:aws:s3:::" 
        - !Ref app 
        - "/*" 
       Principal: !GetAtt BucketUser.Arn 
     DependsOn: BucketUser 
Outputs: 
    AccessKeyId: 
    Value: !Ref UserAccessKey 
    AccessKeySecret: 
    Value: !GetAtt UserAccessKey.SecretAccessKey 
    BucketURL: 
    Value: !GetAtt Bucket.WebsiteURL 
    BucketUserArn: 
    Value: !GetAtt BucketUser.Arn

工作模板:

AWSTemplateFormatVersion: "2010-09-09" 
Description: "Creates bucket with bucket policy" 
#Metadata: 
Parameters: 
    app: 
    Type: String 
    Description: (required) Application name (Also used for bucket name. Follow S3 bucket name conventions) 
    Default: ymessage-bucket-test 
Resources: 
    BucketUser: 
    Type: "AWS::IAM::User" 
    Properties: 
     UserName: !Ref app 
    UserAccessKey: 
    Type: "AWS::IAM::AccessKey" 
    Properties: 
     Status: Active 
     UserName: !Ref app 
    DependsOn: BucketUser 
    Bucket: 
    Type: AWS::S3::Bucket 
    Properties: 
     BucketName: !Ref app 
    BucketPolicy: 
     Type: "AWS::S3::BucketPolicy" 
     Properties: 
     Bucket: !Ref app 
     PolicyDocument: 
      Statement: 
      - 
       Action: 
       - "s3:*" 
       Effect: "Allow" 
       Resource: 
       Fn::Join: 
        - "" 
        - 
        - "arn:aws:s3:::" 
        - !Ref app 
        - "/*" 
       Principal: "*" 
     DependsOn: BucketUser 
Outputs: 
    AccessKeyId: 
    Value: !Ref UserAccessKey 
    AccessKeySecret: 
    Value: !GetAtt UserAccessKey.SecretAccessKey 
    BucketURL: 
    Value: !GetAtt Bucket.WebsiteURL 
    BucketUserArn: 
    Value: !GetAtt BucketUser.Arn

来源

2017-01-09 Eric Nord

回答

0

发现的问题:在BucketPolicy它可以直接接受Principal: "*",但如果你想使用的ARN做到这一点:

Principal: 
    AWS: 
    - !GetAtt BucketUser.Arn

来源

2017-01-09 18:17:53

相关问题

 相关问题