个人中心
gpt4 book ai didi

json - 创建 AWS::KMS::Key 时出现 MalformedPolicyDocumentException

转载 作者:行者123 更新时间:2023-12-03 07:11:39 30 4
gpt4 key购买 nike

我正在尝试创建一个 KSM key 以在 S3 服务中使用它,但出现 MalformedPolicyDocument 异常。这是资源:

"CustomerMasterKey":{
  "Type" : "AWS::KMS::Key",
  "Condition" : "EnableEncryption",
  "Properties" : {
    "Description" : "Client Master Key used to encrypt data",
    "Enabled" : true,
    "EnableKeyRotation" : true,
    "KeyPolicy" :
    {
      "Version": "2012-10-17",
      "Id": {"Fn::Join": ["",["Key","Policy",{"Ref": "CustomerParam"}]]},
      "Statement":
      [{
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},"moimeco"]]}
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
      },
      {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS":
        [
          {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"}, {"Ref": "CustomerParam"}]]},
          {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},"userprod"]]}
        ]
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:ViaService": "s3.eu-west-1.amazonaws.com"
        }
      }
      }]
    }
  }
},

我不知道错误在哪里,对我来说这一切都很好。有什么想法吗?

::EDIT::

这段代码给出了同样的错误:

"CustomerMasterKey":{
      "Type" : "AWS::KMS::Key",
      "Properties" : {
        "Description" : "A sample key",
        "KeyPolicy" : {
          "Version": "2012-10-17",
          "Id": {"Fn::Join": ["-",["Key","Policy",{"Ref": "CustomerParam"}]]},
          "Statement": [
          {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
              "AWS":  {"Fn::Join": ["", ["arn:aws:iam::",{"Ref": "AWS::AccountId"},":root"]]}
            },
            "Action": "kms:*",
            "Resource": "*"
          },
          {
            "Sid": "Allow administration of the key",
            "Effect": "Allow",
            "Principal": { "AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/","userprod"]]} },
            "Action": [
              "kms:Create*",
              "kms:Describe*",
              "kms:Enable*",
              "kms:List*",
              "kms:Put*",
              "kms:Update*",
              "kms:Revoke*",
              "kms:Disable*",
              "kms:Get*",
              "kms:Delete*",
              "kms:ScheduleKeyDeletion",
              "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
          },
          {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": { "AWS": [{"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/",{"Ref": "CustomerParam"}]]},
                                   {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/","moimeco"]]}]
                         },
            "Action": [
              "kms:Encrypt",
              "kms:Decrypt",
              "kms:ReEncrypt*",
              "kms:GenerateDataKey*",
              "kms:DescribeKey"
            ],
            "Resource": "*"
          },
          {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
              "AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/",{"Ref": "CustomerParam"}]]}
            },
            "Action": [
              "kms:CreateGrant",
              "kms:ListGrants",
              "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {"Bool": {"kms:GrantIsForAWSResource": "true"}}
          }
        ]
        }
      }
    },

最佳答案

定义的主体不会评估为 Arns。

第一个主体将评估为:

"AWS": "arn:aws:iam::11111111moimeco"

用户的有效 ARN 如下所示:

"arn:aws:iam::1111111:user/username"

此外,您需要将 root 用户包含到您的主体中。

否则,AWS 根本不会让您创建 key 。其背后的原因如下所述:

AWS Key policies在“允许访问 AWS 账户并启用 IAM 策略”下

关于json - 创建 AWS::KMS::Key 时出现 MalformedPolicyDocumentException,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/42650980/

30 4 0
文章推荐: amazon-web-services - 使用 CloudFormation 与 Salesforce Connector 应用程序进行 AWS AppFlow 销售人员集成
文章推荐: javascript - 根据下拉菜单 1 选择填充下拉菜单 2 以及当我选择子选项时如何迭代
文章推荐: javascript - 露天 5 社区 : Reload document preview after executing onActionFormDialog doclib
文章推荐: aws-cloudformation - CloudFormation 模板中的事物类型
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com