我正在使用cloudformation cli工具创建一个cloudformation资源。然而,我有我的删除行动的麻烦。
在我的create action中,我正在创建一个bucket:
s3 = session.client("s3", region_name='us-east-2')
s3.create_bucket(Bucket='mybucket123',CreateBucketConfiguration={'LocationConstraint': 'us-east-2'})
并且我已经为我的s3权限设置通配符,所以在cfn生成之后,我最终得到以下resource-role。yaml
AWSTemplateFormatVersion: "2010-09-09"
Description: >
This CloudFormation template creates a role assumed by CloudFormation
during CRUDL operations to mutate resources on behalf of the customer.
Resources:
ExecutionRole:
Type: AWS::IAM::Role
Properties:
MaxSessionDuration: 8400
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: resources.cloudformation.amazonaws.com
Action: sts:AssumeRole
Path: "/"
Policies:
- PolicyName: ResourceTypePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- "dynamodb:*"
- "s3:*"
Resource: "*"
Outputs:
ExecutionRoleArn:
Value:
Fn::GetAtt: ExecutionRole.Arn
我有以下在我的资源提供程序的DELETE操作:
s3 = session.client("s3", region_name='us-east-2')
s3.delete_bucket(Bucket='mybucket123')
但是每当我尝试使用cfn test(使用sam本地start-lambda运行)进行测试时,就会得到以下错误,就好像我的角色被忽略了一样。
An error occurred (AccessDenied) when calling the DeleteBucket operation: Access Denied
我有两个建议给你,我希望可以帮助你。
1。需要删除桶的权限的lambda函数。所以你的ExecutionRole会像这样:
Principal:
Service:
- resources.cloudformation.amazonaws.com
- lambda.amazonaws.com
2。查看boto3文档,我发现你可以把ExpectedBucketOwner放在delete_bucket函数中作为参数。如果函数没有找到帐户,它会返回一个Access Denied错误:
ExpectedBucketOwner (string) -- The account ID of the expected bucket owner. If the bucket is
owned by a different account, the request will fail with an HTTP 403 (Access Denied) error.
我希望这能帮助解决你的问题。
