Amazon web services 拒绝访问存储桶日志表单Applicationloadbalancer:请检查S3bucket权限
我想将我的ALB日志存储到s3 bucket,我已经向s3 bucket添加了策略,但它说拒绝访问,我尝试了很多,使用了很多配置,但一次又一次失败,我的堆栈回滚,我使用了Amazon web services 拒绝访问存储桶日志表单Applicationloadbalancer:请检查S3bucket权限,amazon-web-services,amazon-s3,load-balancing,amazon-cloudformation,troposphere,Amazon Web Services,Amazon S3,Load Balancing,Amazon Cloudformation,Troposphere,我想将我的ALB日志存储到s3 bucket,我已经向s3 bucket添加了策略,但它说拒绝访问,我尝试了很多,使用了很多配置,但一次又一次失败,我的堆栈回滚,我使用了对流层创建模板 我试过使用我的策略,但不是wokring Access Denied for bucket: appdeploy-logbucket-1cca50r865s65. Please check S3bucket permission (Service: AmazonElasticLoadBalancingV2; S
对流层
创建模板
我试过使用我的策略,但不是wokring
Access Denied for bucket: appdeploy-logbucket-1cca50r865s65.
Please check S3bucket permission (Service: AmazonElasticLoadBalancingV2; Status Code: 400; Error Code:
InvalidConfigurationRequest; Request ID: e5e2245f-2f9b-11e9-a3e9-2dcad78a31ec)
有什么帮助吗?这里是对流层/堆垛机维护器。我们有一个堆垛机蓝图(它是一个围绕对流层模板的包装器),我们在工作中用于记录桶:
BucketPolicy = t.add_resource(
s3.BucketPolicy(
"BucketPolicy",
Bucket=Ref(LogBucket),
PolicyDocument={
"Id": "Policy1550067507528",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1550067500750",
"Action": [
"s3:PutObject",
"s3:PutBucketAcl",
"s3:PutBucketLogging",
"s3:PutBucketPolicy"
],
"Effect": "Allow",
"Resource": Join("", [
"arn:aws:s3:::",
Ref(LogBucket),
"/AWSLogs/",
Ref("AWS::AccountId"),
"/*"]),
"Principal": {"AWS": "027434742980"},
}
],
},
))
希望这有帮助 CloudFormation模板中的主体错误。您应该为您所在地区使用正确的主要AWS帐户Id。在此文档中查找正确的值: 此外,你可以缩小你的行动范围。如果您只想将ALB日志推送到S3,您只需要:
from troposphere import Sub
from troposphere import s3
from stacker.blueprints.base import Blueprint
from awacs.aws import (
Statement, Allow, Policy, AWSPrincipal
)
from awacs.s3 import PutObject
class LoggingBucket(Blueprint):
VARIABLES = {
"ExpirationInDays": {
"type": int,
"description": "Number of days to keep logs around for",
},
# See the table here for account ids.
# https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html#attach-bucket-policy
"AWSAccountId": {
"type": str,
"description": "The AWS account ID to allow access to putting "
"logs in this bucket.",
"default": "797873946194" # us-west-2
},
}
def create_template(self):
t = self.template
variables = self.get_variables()
bucket = t.add_resource(
s3.Bucket(
"Bucket",
LifecycleConfiguration=s3.LifecycleConfiguration(
Rules=[
s3.LifecycleRule(
Status="Enabled",
ExpirationInDays=variables["ExpirationInDays"]
)
]
)
)
)
# Give ELB access to PutObject in the bucket.
t.add_resource(
s3.BucketPolicy(
"BucketPolicy",
Bucket=bucket.Ref(),
PolicyDocument=Policy(
Statement=[
Statement(
Effect=Allow,
Action=[PutObject],
Principal=AWSPrincipal(variables["AWSAccountId"]),
Resource=[Sub("arn:aws:s3:::${Bucket}/*")]
)
]
)
)
)
self.add_output("BucketId", bucket.Ref())
self.add_output("BucketArn", bucket.GetAtt("Arn"))
下面是一个BucketPolicy Cloudformation示例(您可以轻松地将其转换为对流层PolicyDocument元素):
您在哪里找到值
162827895266
?我在屏幕上看不到这一点。@Michael sqlbot我有点困惑,但它帮助了我,节省了我的努力。谢谢,这是问题吗?嗯,是的,我想是帐户ID的问题。还添加了多个“操作”:[“s3:PutObject”、“s3:PutBucketAcl”、“s3:PutBucketLogging”、“s3:PutBucketPolicy”],
不正确。谢谢你的提示
Action: s3:PutObject
Resources:
# Create an S3 logs bucket
ALBLogsBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "my-logs-${AWS::AccountId}"
AccessControl: LogDeliveryWrite
LifecycleConfiguration:
Rules:
- Id: ExpireLogs
ExpirationInDays: 365
Status: Enabled
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
DeletionPolicy: Retain
# Grant access for the load balancer to write the logs
# For the magic number 127311923021, refer to https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-logging-bucket-permissions
ALBLoggingBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref ALBLogsBucket
PolicyDocument:
Statement:
- Effect: Allow
Principal:
AWS: 127311923021 # Elastic Load Balancing Account ID for us-east-1
Action: s3:PutObject
Resource: !Sub "arn:aws:s3:::my-logs-${AWS::AccountId}/*"