在CFN resource provider test中删除s3桶时AccessDenied

我正在使用cloudformation cli工具创建一个cloudformation资源。然而,我有我的删除行动的麻烦。

在我的create action中,我正在创建一个bucket:

s3 = session.client("s3", region_name='us-east-2')
s3.create_bucket(Bucket='mybucket123',CreateBucketConfiguration={'LocationConstraint': 'us-east-2'})
    

并且我已经为我的s3权限设置通配符,所以在cfn生成之后,我最终得到以下resource-role。yaml

AWSTemplateFormatVersion: "2010-09-09"
Description: >
  This CloudFormation template creates a role assumed by CloudFormation
  during CRUDL operations to mutate resources on behalf of the customer.
Resources:
  ExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      MaxSessionDuration: 8400
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: resources.cloudformation.amazonaws.com
            Action: sts:AssumeRole
      Path: "/"
      Policies:
        - PolicyName: ResourceTypePolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                - "dynamodb:*"
                - "s3:*"
                Resource: "*"
Outputs:
  ExecutionRoleArn:
    Value:
      Fn::GetAtt: ExecutionRole.Arn

我有以下在我的资源提供程序的DELETE操作:

s3 = session.client("s3", region_name='us-east-2')
s3.delete_bucket(Bucket='mybucket123')

但是每当我尝试使用cfn test(使用sam本地start-lambda运行)进行测试时,就会得到以下错误,就好像我的角色被忽略了一样。

An error occurred (AccessDenied) when calling the DeleteBucket operation: Access Denied

我有两个建议给你,我希望可以帮助你。

1。需要删除桶的权限的lambda函数。所以你的ExecutionRole会像这样:

Principal:
  Service:
  - resources.cloudformation.amazonaws.com
  - lambda.amazonaws.com  

2。查看boto3文档,我发现你可以把ExpectedBucketOwner放在delete_bucket函数中作为参数。如果函数没有找到帐户,它会返回一个Access Denied错误:

ExpectedBucketOwner (string) -- The account ID of the expected bucket owner. If the bucket is 
owned by a different account, the request will fail with an HTTP 403 (Access Denied) error.

我希望这能帮助解决你的问题。

阅读全文

▼ 版权说明

相关文章也很精彩
推荐内容
更多标签
相关热门
全站排行
随便看看

错说 cuoshuo.com —— 程序员的报错记录

部分内容根据CC版权协议转载;网站内容仅供参考,生产环境使用务必查阅官方文档

辽ICP备19011660号-5

×

扫码关注公众号:职场神器
发送: 1
获取永久解锁本站全部文章的验证码