Json 创建AWS:：KSM:：Key时格式错误的PolicyDocumentException_Json_Amazon Web Services_Amazon S3_Amazon Cloudformation

Json 创建AWS:：KSM:：Key时格式错误的PolicyDocumentException

json amazon-web-services amazon-s3 amazon-cloudformation

Json 创建AWS:：KSM:：Key时格式错误的PolicyDocumentException,json,amazon-web-services,amazon-s3,amazon-cloudformation,Json,Amazon Web Services,Amazon S3,Amazon Cloudformation,我试图创建一个KSM密钥，以便在S3服务中使用它，但我得到了格式错误的PolicyDocument异常。以下是资源： "CustomerMasterKey":{ "Type" : "AWS::KMS::Key", "Condition" : "EnableEncryption", "Properties" : { "Description" : "Client Master Key used to encrypt data", "Enabled" : true,

我试图创建一个KSM密钥，以便在S3服务中使用它，但我得到了格式错误的PolicyDocument异常。以下是资源：

"CustomerMasterKey":{
  "Type" : "AWS::KMS::Key",
  "Condition" : "EnableEncryption",
  "Properties" : {
    "Description" : "Client Master Key used to encrypt data",
    "Enabled" : true,
    "EnableKeyRotation" : true,
    "KeyPolicy" :
    {
      "Version": "2012-10-17",
      "Id": {"Fn::Join": ["",["Key","Policy",{"Ref": "CustomerParam"}]]},
      "Statement":
      [{
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},"moimeco"]]}
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
      },
      {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS":
        [
          {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"}, {"Ref": "CustomerParam"}]]},
          {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},"userprod"]]}
        ]
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:ViaService": "s3.eu-west-1.amazonaws.com"
        }
      }
      }]
    }
  }
},

我不知道哪里出错了，对我来说都是好的。有什么想法吗

：：编辑：：

此代码给出了相同的错误：

"CustomerMasterKey":{
      "Type" : "AWS::KMS::Key",
      "Properties" : {
        "Description" : "A sample key",
        "KeyPolicy" : {
          "Version": "2012-10-17",
          "Id": {"Fn::Join": ["-",["Key","Policy",{"Ref": "CustomerParam"}]]},
          "Statement": [
          {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
              "AWS":  {"Fn::Join": ["", ["arn:aws:iam::",{"Ref": "AWS::AccountId"},":root"]]}
            },
            "Action": "kms:*",
            "Resource": "*"
          },
          {
            "Sid": "Allow administration of the key",
            "Effect": "Allow",
            "Principal": { "AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/","userprod"]]} },
            "Action": [
              "kms:Create*",
              "kms:Describe*",
              "kms:Enable*",
              "kms:List*",
              "kms:Put*",
              "kms:Update*",
              "kms:Revoke*",
              "kms:Disable*",
              "kms:Get*",
              "kms:Delete*",
              "kms:ScheduleKeyDeletion",
              "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
          },
          {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": { "AWS": [{"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/",{"Ref": "CustomerParam"}]]},
                                   {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/","moimeco"]]}]
                         },
            "Action": [
              "kms:Encrypt",
              "kms:Decrypt",
              "kms:ReEncrypt*",
              "kms:GenerateDataKey*",
              "kms:DescribeKey"
            ],
            "Resource": "*"
          },
          {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
              "AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/",{"Ref": "CustomerParam"}]]}
            },
            "Action": [
              "kms:CreateGrant",
              "kms:ListGrants",
              "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {"Bool": {"kms:GrantIsForAWSResource": "true"}}
          }
        ]
        }
      }
    },

定义的主体不评估为ARN

第一位负责人将评估：

"AWS": "arn:aws:iam::11111111moimeco"

用户的有效ARN如下所示：

"arn:aws:iam::1111111:user/username"

此外，还需要将根用户包括到主体中

否则，AWS根本不允许您创建密钥。这背后的原因如下所述：

在“允许访问AWS帐户并启用IAM策略”下，我更正了

用户Arn

，并在主体中添加了根，但仍然存在相同的错误。我不确定还需要做什么来纠正错误。请帮助我编辑了这个问题，并将给出相同错误的新代码放入其中。您是否可以尝试将两个主要ARN设置为{“AWS”：“*”}，以验证模板是否存在其他问题。我从这一点开始，逐步向列表中添加用户，直到得到预期的结果。在将所有主体设置为

{“AWS”：“*”}

后，它工作得非常好。因此策略无法找到用户。

Fn:：Join

一定是出了什么问题，我是通过编辑一个用户Arn使其正常工作的，而我的用户Arn出了问题