Hello, I'm currently creating a policy for an AWS ...
# generalb
big-angle-30002
04/29/2024, 6:57 PMHello, I'm currently creating a policy for an AWS bucket and assigning it to the bucket with the BucketPolicy resource. In this policy I need an Origin Access Identity
Copy code
oai = OriginAccessIdentity(
f"OAI-{data_conf['project_name'].upper()}",
comment="OAI for allowing CloudFront to access the site S3 bucket") Copy code
oai = Output.all(oai.iam_arn, oai.s3_canonical_user_id).apply(
lambda args: print(f"OAI ARN: {args[0]} | OAI Canonical User ID: {args[1]}")
)
>>> OAI ARN: arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E2HBZRUL9B8YD6 | OAI Canonical User ID: 6816a94df8576437bce079301fa206257850acd55849d905e19e13d4b942310f7646739fe2c756ae7e376c0fce7aaaf5AttributeError: 'NoneType' object has no attribute 's3_canonical_user_id' Copy code
site_bucket_policies_statement = get_policy_document(
version="2012-10-17",
statements=[
{
"effect": "Deny",
"principals": [
{
"type": "AWS",
"identifiers": ["*"]
}
],
"actions": ["s3:*"],
"resources": [
site_bucket[0].arn.apply(lambda arn: arn),
],
"conditions": [
{
"test": "Bool",
"variable": "aws:SecureTransport",
"values": ["false"]
}
]
},
{
"effect": "Allow",
"actions": ["s3:GetObject"],
"resources": [
site_bucket[0].arn.apply(lambda arn: arn)
],
"principals": [{
"type": "AWS",
"identifiers": [ oai.s3_canonical_user_id.apply(lambda id: id)]
}]
},
{
"effect": "Allow",
"actions": [
"s3:PutBucketPolicy",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*"
],
"resources": [
site_bucket[0].arn.apply(lambda arn: arn)
],
"principals": [{
"type": "AWS",
"identifiers": [ lambda_role.arn.apply(lambda arn: arn) ]
}]
}
]
) Copy code
site_bucket_policy = BucketPolicy(
f"BUCKET_POLICY_{data_conf['project_name'].upper()}",
bucket=site_bucket[0].id,
policy=site_bucket_policies_statement.json,
opts=ResourceOptions(depends_on=[site_bucket[0]])
)d
dry-keyboard-94795
04/29/2024, 7:37 PMIn your code, you've reassigned
oaidry-keyboard-94795
04/29/2024, 7:38 PMWell, it returns the return of print(...), which is
Noneπ 1
b
big-angle-30002
04/29/2024, 7:46 PMhow use the oai into the get_policy_document to avoid the NoneType error?
d
dry-keyboard-94795
04/29/2024, 7:47 PMInstead of
oai = Output.all(...)Output.all(...)β
1
dry-keyboard-94795
04/29/2024, 7:56 PMSorry, I assumed something about the function.
I think you need to wrap
get_policy_documentπ 1
b
big-angle-30002
04/29/2024, 7:58 PMmy fool. my original error was a Malformed policy, then I wrote the line oai = Output.... for see if the values was ok. I returned to my original malformed policy error :v
big-angle-30002
04/29/2024, 8:00 PM Copy code
site_bucket_policies_statement = get_policy_document(
version="2012-10-17",
statements=[
{
"effect": "Deny",
"principals": [
{
"type": "AWS",
"identifiers": ["*"]
}
],
"actions": ["s3:*"],
"resources": [
site_bucket[0].arn
],
"conditions": [
{
"test": "Bool",
"variable": "aws:SecureTransport",
"values": ["false"]
}
]
},
{
"effect": "Allow",
"actions": ["s3:GetObject"],
"resources": [
site_bucket[0].arn
],
"principals": [{
"type": "AWS",
"identifiers": [ oai.iam_arn ]
}]
},
{
"effect": "Allow",
"actions": [
"s3:PutBucketPolicy",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*"
],
"resources": [
site_bucket[0].arn
],
"principals": [{
"type": "AWS",
"identifiers": [ lambda_role.arn ]
}]
}
]
)aws:s3:BucketPolicy (BUCKET_POLICY_ARCHIE-STACK):error: 1 error occurred:* putting S3 Bucket (bucket-1-archie-stack-nonprod) Policy: operation error S3: PutBucketPolicy, https response error StatusCode: 400, RequestID: ABG1XJX5FZPTS0Y1, HostID: ODRmhKJaygEo69JqTC0ZSAwSD3wBR3EBwskAjF+xh6tZp9MK+3pdIQzQxA2sp+uyRpTmGUCjza2niQptID1gdw==, api error MalformedPolicy: Action does not apply to any resource(s) in statementd
dry-keyboard-94795
04/29/2024, 8:06 PMwhat I think you need is something like this:
Copy code
site_bucket_policies_statement = Output.all(
lambda_role_arn=lambda_role.arn,
site_bucket_arn=site_bucket[0].arn,
oai_iam_arn=oai.iam_arn,
).apply(lambda d: get_policy_document(
version="",
statements=[
{
"effect": "Deny",
"principals": [
{
"type": "AWS",
"identifiers": ["*"]
}
],
"actions": ["s3:*"],
"resources": [
d["site_bucket_arn"],
],
"conditions": [
{
"test": "Bool",
"variable": "aws:SecureTransport",
"values": ["false"]
}
]
},
{
"effect": "Allow",
"actions": ["s3:GetObject"],
"resources": [
d["site_bucket_arn"],
],
"principals": [{
"type": "AWS",
"identifiers": [ d["oai_iam_arn"] ]
}]
},
{
"effect": "Allow",
"actions": [
"s3:PutBucketPolicy",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*"
],
"resources": [
site_bucket[0].arn
],
"principals": [{
"type": "AWS",
"identifiers": [ lambda_role.arn ]
}]
}
],
))dry-keyboard-94795
04/29/2024, 8:07 PMthough I'm unsure. the examples in the docs imply you can directly reference outputs in the statements, so either the examples are incorrect or the type definitions are incorrect
dry-keyboard-94795
04/29/2024, 8:09 PMwhile it's more verbose, you'll get better editor support if you use the Input Classes instead of a list of dictionaries:
aws.iam.GetPolicyDocumentStatementArgsdry-keyboard-94795
04/29/2024, 8:10 PMso:
Copy code
statements=[
aws.iam.GetPolicyDocumentStatementArgs(
resources=[...],
),
]π 1
b
big-angle-30002
04/29/2024, 8:19 PMI will try the verbose form, because I still have the malformed policy error. thanks a lot :3
big-angle-30002
04/29/2024, 9:32 PMTo resolve the malformed policy it was necessary to specify the object arn "/*" in addition to the bucket arn in the resources list. for example:
Copy code
"Resource": [
f"{args[0]}",
f"{args[0]}/*"
],big-angle-30002
04/29/2024, 9:35 PMand the OAI statement only need the object arn
6 Views