Reputation: 1255
Addig bucketpolicy for a s3 Bucket. But am running into multiple problems defining it in YAML. Here is the sample -
S3CURBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
PolicyDocument:
Statement:
- Action:
- 's3:ListBucket'
Resource: !Join [ '', ["arn:aws:s3:::", !Ref S3BucketTest]]
Effect: Allow
Condition:
StringEquals:
'AWS:SourceAccount':
- 12334456676
Principal: '*'
Bucket: !Ref S3BucketTest
S3BucketTest is the resource name of s3 bucket I defined in the same cft
S3BucketTest:
Type: AWS::S3::Bucket
I was able to create s3 bucket without any issues, but the bucketpolicy giving errors.
I am essentially looking to replicatee this in YAML -
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "stmt_cross_acct_rs_Access",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::12345678:role/role_rs_1", "arn:aws:iam::12345678:root"]
},
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<demo-bucket>",
"arn:aws:s3:::<demo-bucket>/*"
]
}
]
}
Upvotes: 1
Views: 2130
Reputation: 8603
This works for me. I was able to create the stack. I only had to change join
to sub
.
AWSTemplateFormatVersion: '2010-09-09'
Resources:
S3BucketTest:
Type: AWS::S3::Bucket
S3CURBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
PolicyDocument:
Statement:
- Action:
- 's3:ListBucket'
Resource:
- !Sub 'arn:aws:s3:::${S3BucketTest}'
- !Sub 'arn:aws:s3:::${S3BucketTest}/*'
Effect: Allow
Condition:
StringEquals:
'AWS:SourceAccount':
- 12334456676
Principal: '*'
Bucket: !Ref S3BucketTest
Hope this helps.
Upvotes: 1
Reputation: 8885
Assuming you have a 'demobucket' as either a bucket resource or a parameter, the JSON above would look like this in YAML:
Version: 2012-10-17
Statement:
- Sid: stmt_cross_acct_rs_Access
Effect: Allow
Principal:
AWS:
- arn:aws:iam::12345678:role/role_rs_1
- arn:aws:iam::12345678:root
Action:
- s3:GetBucketLocation
- s3:GetObject
- s3:ListBucket
- s3:ListBucketMultipartUploads
- s3:ListMultipartUploadParts
- s3:AbortMultipartUpload
- s3:PutObject
Resource:
- !Sub 'arn:aws:s3:::${demobucket}'
- !Sub 'arn:aws:s3:::${demobucket}/*'
This is what you should do for the YAML you had:
S3CURBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
PolicyDocument:
Statement:
- Action:
- 's3:ListBucket'
Resource: !GetAtt S3BucketTest.Arn
Effect: Allow
Condition:
StringEquals:
'AWS:SourceAccount':
- 12334456676
Principal: '*'
Bucket: !Ref S3BucketTest
Upvotes: 1
Reputation: 552
For multiple resources, try this:
Resource:
- 'arn:aws:s3:::<demo-bucket>'
- 'arn:aws:s3:::<demo-bucket>'
Upvotes: 0