Json 创建AWS::KSM::Key时格式错误的PolicyDocumentException
我试图创建一个KSM密钥,以便在S3服务中使用它,但我得到了格式错误的PolicyDocument异常。以下是资源:Json 创建AWS::KSM::Key时格式错误的PolicyDocumentException,json,amazon-web-services,amazon-s3,amazon-cloudformation,Json,Amazon Web Services,Amazon S3,Amazon Cloudformation,我试图创建一个KSM密钥,以便在S3服务中使用它,但我得到了格式错误的PolicyDocument异常。以下是资源: "CustomerMasterKey":{ "Type" : "AWS::KMS::Key", "Condition" : "EnableEncryption", "Properties" : { "Description" : "Client Master Key used to encrypt data", "Enabled" : true,
"CustomerMasterKey":{
"Type" : "AWS::KMS::Key",
"Condition" : "EnableEncryption",
"Properties" : {
"Description" : "Client Master Key used to encrypt data",
"Enabled" : true,
"EnableKeyRotation" : true,
"KeyPolicy" :
{
"Version": "2012-10-17",
"Id": {"Fn::Join": ["",["Key","Policy",{"Ref": "CustomerParam"}]]},
"Statement":
[{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},"moimeco"]]}
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS":
[
{"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"}, {"Ref": "CustomerParam"}]]},
{"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},"userprod"]]}
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "s3.eu-west-1.amazonaws.com"
}
}
}]
}
}
},
我不知道哪里出错了,对我来说都是好的。有什么想法吗
::编辑::
此代码给出了相同的错误:
"CustomerMasterKey":{
"Type" : "AWS::KMS::Key",
"Properties" : {
"Description" : "A sample key",
"KeyPolicy" : {
"Version": "2012-10-17",
"Id": {"Fn::Join": ["-",["Key","Policy",{"Ref": "CustomerParam"}]]},
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": {"Fn::Join": ["", ["arn:aws:iam::",{"Ref": "AWS::AccountId"},":root"]]}
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": { "AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/","userprod"]]} },
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": { "AWS": [{"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/",{"Ref": "CustomerParam"}]]},
{"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/","moimeco"]]}]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/",{"Ref": "CustomerParam"}]]}
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {"Bool": {"kms:GrantIsForAWSResource": "true"}}
}
]
}
}
},
定义的主体不评估为ARN 第一位负责人将评估:
"AWS": "arn:aws:iam::11111111moimeco"
用户的有效ARN如下所示:
"arn:aws:iam::1111111:user/username"
此外,还需要将根用户包括到主体中
否则,AWS根本不允许您创建密钥。这背后的原因如下所述:
在“允许访问AWS帐户并启用IAM策略”下,我更正了
用户Arn
,并在主体中添加了根,但仍然存在相同的错误。我不确定还需要做什么来纠正错误。请帮助我编辑了这个问题,并将给出相同错误的新代码放入其中。您是否可以尝试将两个主要ARN设置为{“AWS”:“*”},以验证模板是否存在其他问题。我从这一点开始,逐步向列表中添加用户,直到得到预期的结果。在将所有主体设置为{“AWS”:“*”}
后,它工作得非常好。因此策略无法找到用户。Fn::Join
一定是出了什么问题,我是通过编辑一个用户Arn使其正常工作的,而我的用户Arn出了问题