Terraform S3存储桶创建原因未获授权 [英] Terraform S3 bucket creation causes not authorized

问题描述

创建S3存储桶需要什么AWS权限，这会导致ec2/DescribeAccountAttributes和s3/CreateBucket禁用HTTP/1.1 403.或如何在AWS方面获取更多信息以进行进一步的故障排除.

What AWS permission is required to create a S3 bucket, which causes HTTP/1.1 403 Forbidden on ec2/DescribeAccountAttributes and s3/CreateBucket. Or how to get further information on AWS side to further trouble-shoot.

向用户帐户添加了对EC2和S3的所有权限，但没有解决问题.

Added all permissions on EC2 and S3 to the user account, but did not solve the problem.

如果我拥有帐户所有者的所有权限(使用其他帐户)，则不会发生这种情况.

If I have all the permission as the account owner (using different account), this will not happen.

尝试创建S3存储桶.

resource "aws_s3_bucket" "s3_bucket_tfstate" {
  bucket = "${var.s3_bucket_tfstate}"
  acl    = "private"
}    

但是它会导致403，并且下面的TF_LOG = DEBUG.

However it causes 403 with the TF_LOG=DEBUG below.

2017/12/06 18:55:35 [DEBUG] [aws-sdk-go] DEBUG: Request ec2/DescribeAccountAttributes Details:
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: ec2.ap-southeast-2.amazonaws.com
User-Agent: aws-sdk-go/1.12.35 (go1.9; darwin; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.11.0-beta1
Content-Length: 87
Authorization: AWS4-HMAC-SHA256 Credential=<credential>/20171206/ap-southeast-2/ec2/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date, Signature=****
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Amz-Date: 20171206T075535Z
Accept-Encoding: gzip

Action=DescribeAccountAttributes&AttributeName.1=supported-platforms&Version=2016-11-15
-----------------------------------------------------
2017/12/06 18:55:35 [DEBUG] [aws-sdk-go] DEBUG: Response ec2/DescribeAccountAttributes Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Connection: close
Transfer-Encoding: chunked
Date: Wed, 06 Dec 2017 07:55:37 GMT
Server: AmazonEC2


-----------------------------------------------------
2017/12/06 18:55:35 [DEBUG] [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>UnauthorizedOperation</Code><Message>You are not authorized to perform this operation.</Message></Error></Errors><RequestID>0b9480d5-a687-46f8-a0ca-a212c37ce3fb</RequestID></Response>
2017/12/06 18:55:35 [DEBUG] [aws-sdk-go] DEBUG: Validate Response ec2/DescribeAccountAttributes failed, not retrying, error UnauthorizedOperation: You are not authorized to perform this operation.


2017/12/06 19:55:52 [DEBUG] [aws-sdk-go] DEBUG: Request s3/CreateBucket Details:
---[ REQUEST POST-SIGN ]-----------------------------
PUT / HTTP/1.1
Host: mule-cdr-billing-adapter-config-tfstate.s3.ap-southeast-2.amazonaws.com
User-Agent: aws-sdk-go/1.12.35 (go1.9; darwin; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.11.0-beta1
Content-Length: 158
Authorization: AWS4-HMAC-SHA256 Credential=****/20171206/ap-southeast-2/s3/aws4_request, SignedHeaders=content-length;host;x-amz-acl;x-amz-content-sha256;x-amz-date, Signature=****
X-Amz-Acl: private
X-Amz-Content-Sha256: 8bfaf12a44a138dc6f38eb5c291558f2c551b0f18ab6e2a5e7f9a00176b25240
X-Amz-Date: 20171206T085552Z
Accept-Encoding: gzip

<CreateBucketConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><LocationConstraint>ap-southeast-2</LocationConstraint></CreateBucketConfiguration>
-----------------------------------------------------
2017/12/06 19:55:53 [DEBUG] [aws-sdk-go] DEBUG: Response s3/CreateBucket Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Connection: close
Transfer-Encoding: chunked
Content-Type: application/xml
Date: Wed, 06 Dec 2017 08:55:55 GMT
Server: AmazonS3
X-Amz-Id-2: oAttLYQ1qxta2qs03RD79G8xZxTSfDtauQZyeQ8lsq2+4LWBghg+bGjpNvL6Xl1qPnIwE8YOyRs=
X-Amz-Request-Id: 9B562398EEFDF96E


-----------------------------------------------------
2017/12/06 19:55:53 [DEBUG] [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>9B562398EEFDF96E</RequestId><HostId>oAttLYQ1qxta2qs03RD79G8xZxTSfDtauQZyeQ8lsq2+4LWBghg+bGjpNvL6Xl1qPnIwE8YOyRs=</HostId></Error>
2017/12/06 19:55:53 [DEBUG] [aws-sdk-go] DEBUG: Validate Response s3/CreateBucket failed, not retrying, error AccessDenied: Access Denied
    status code: 403, request id: 9B562398EEFDF96E, host id: oAttLYQ1qxta2qs03RD79G8xZxTSfDtauQZyeQ8lsq2+4LWBghg+bGjpNvL6Xl1qPnIwE8YOyRs=

推荐答案

原因

通过 IAM策略模拟器来模拟AWS S3创建存储桶，发现阻止创建的策略是MFA.

Cause

Simulated the AWS S3 create bucket via the IAM Policy simulator and found the policy preventing the creation was MFA.

session=$(aws sts get-session-token --profile $AWS_PROFILE --serial-number $SECURITY_DEVICE_ARN --token-code $MFA_TOKEN)
export AWS_ACCESS_KEY_ID=$(echo $session | jq  -r .Credentials.AccessKeyId)
export AWS_SECRET_ACCESS_KEY=$(echo $session | jq  -r .Credentials.SecretAccessKey)
export AWS_SESSION_TOKEN=$(echo $session | jq -r .Credentials.SessionToken)
export AWS_MFA_SERIAL_NUMBER=${MFA_TOKEN}

然后运行地形.

这篇关于Terraform S3存储桶创建原因未获授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！