我在AWS PHP SDK中创建IAM策略时遇到问题,并收到MalformedPolicyDocument错误。
JSON策略对我来说似乎很好,所以我不确定它为什么会崩溃。我确信这是一件简单愚蠢的事情,我做错了,但就是没有看到。
这里的用例是,我们创建一个新的IAM用户、一个新S3存储桶和一个仅限制访问新存储桶的新策略,然后将该策略附加到新用户。
IAM用户和S3存储桶会被创建,但一旦创建新策略,就会出现MalformedPolicyDocument错误。
请记住,这段代码不是用于生产的,只是为了锻炼流程并使基本方法发挥作用,这就是为什么在这里的代码中直接使用键的原因。我想我最好把它扔出去,这样回复就不会在这方面挂断了。
以下是我用来测试工作流程的代码:
// VARIABLES
$key = 'SOMEKEY';
$secretKey = 'SOMESECRETKEY';
$domain = 'somedomain.com';
$stagingDomain = 'somestagingdomain.com';
$userName = 'somedomaincom';
$BUCKET_NAME = 'somedomaincom';
$s3Arn = 'arn:aws:s3:::' . $BUCKET_NAME;
$policyName = 'somedomaincomPolicy';
$policyArn = 'arn:aws:iam::aws:policy/' . $policyName;
require 'aws/aws-autoloader.php';
use AwsS3S3Client;
use AwsIamIamClient;
use AwsExceptionAwsException;
$iamClient = new IamClient([
'version' => 'latest',
'region' => 'us-west-2',
'credentials' => [
'key' => $key,
'secret' => $secretKey,
],
]);
try {
$result = $iamClient->createUser(array(
'UserName' => $userName,
));
var_dump($result);
} catch (AwsException $e) {
echo $e->getMessage();
error_log($e->getMessage());
}
//Create a S3Client
$s3Client = new S3Client([
'version' => 'latest',
'region' => 'us-west-2',
'credentials' => [ // CHANGE THIS TO A DIFFERENT METHOD BEFORE MOVING TO PRODUCTION
'key' => $key,
'secret' => $secretKey,
],
]);
//Creating S3 Bucket
try {
$result = $s3Client->createBucket([
'Bucket' => $BUCKET_NAME,
]);
} catch (AwsException $e) {
// output error message if fails
echo $e->getMessage();
echo "n";
}
// SET CORS RULES
$cors = array(array(
'AllowedOrigins' => array($domain, $stagingDomain),
'AllowedMethods' => array('POST', 'GET', 'PUT'),
'MaxAgeSeconds' => 3000,
'AllowedHeaders' => array('*')
));
// ADD CORS RULES
$result = $s3Client->putBucketCors(array(
'Bucket' => $BUCKET_NAME,
'CORSConfiguration' => array('CORSRules' => $cors)
));
// CREATE IAM POLICY - BREAKS ON THIS, MALFORMED POLICY???
$myManagedPolicy = '{
"Version": "latest",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"' . $s3Arn . '",
"'. $s3Arn . '/*"
]
}
]
}';
try {
$result = $iamClient->createPolicy(array(
'PolicyName' => $policyName,
'PolicyDocument' => $myManagedPolicy
));
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
error_log($e->getMessage());
echo $e->getMessage();
}
// ATTACH IAM POLICY TO USER
try {
$attachedUserPolicies = $iamClient->getIterator('ListAttachedUserPolicies', ([
'UserName' => $userName,
]));
if (count($attachedUserPolicies) > 0) {
foreach ($attachedUserPolicies as $attachedUserPolicy) {
if ($attachedUserPolicy['PolicyName'] == $policyName) {
echo $policyName . " is already attached to this role. n";
exit();
}
}
}
$result = $iamClient->attachUserPolicy(array(
'UserName' => $userName,
'PolicyArn' => $policyArn,
));
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
error_log($e->getMessage());
echo $e->getMessage();
}
我尝试了各种格式化策略JSON的方法,例如向操作和资源添加[],以及对值进行硬编码,而不是使用变量。
这似乎是一件很简单的事情,但我遇到了麻烦。你知道我哪里错了吗?
当然,我一发布这篇文章就明白了。
我想我的问题是试图使用"最新"作为版本,所以我把它改为2012-10-17。
如果这有助于其他人做类似的事情,下面是完整的工作代码,用于创建新的IAM用户,为新用户创建访问密钥,创建新的S3存储桶,在S3存储桶上设置CORS以允许从域和暂存域访问,创建一个新策略以仅限制对新S3存储桶的访问,然后将该新策略附加到新IAM用户:
// VARIABLES
$key = 'YOURKEY';
$secretKey = 'YOURSECRETKEY';
$iamUserKey = '';
$iamUserSecretKey = '';
$domain = 'somedomain.com';
$stagingDomain = 'somestagingdomain.com';
$userName = 'someusername';
$BUCKET_NAME = 'somebucketname';
$s3Arn = 'arn:aws:s3:::' . $BUCKET_NAME;
$policyName = 'somepolicynamePolicy';
$policyArn = '';
require 'aws/aws-autoloader.php';
use AwsS3S3Client;
use AwsIamIamClient;
use AwsExceptionAwsException;
// CREATE IAM CLIENT
$iamClient = new IamClient([
'version' => 'latest',
'region' => 'us-west-2',
'credentials' => [ // CHANGE THIS TO A DIFFERENT METHOD BEFORE MOVING TO PRODUCTION
'key' => $key,
'secret' => $secretKey,
],
]);
// CREATE IAM USER
try {
$result = $iamClient->createUser(array(
'UserName' => $userName,
));
//var_dump($result);
} catch (AwsException $e) {
echo $e->getMessage();
error_log($e->getMessage());
}
// CREATE IAM USER ACCESS KEYS
try {
$result = $iamClient->createAccessKey([
'UserName' => $userName,
]);
$iamUserKey = $result['AccessKey']['AccessKeyId'];
$iamUserSecretKey= $result['AccessKey']['SecretAccessKey'];
} catch (AwsException $e) {
// output error message if fails
error_log($e->getMessage());
}
// CREATE S3 CLIENT
$s3Client = new S3Client([
'version' => 'latest',
'region' => 'us-west-2',
'credentials' => [ // CHANGE THIS TO A DIFFERENT METHOD BEFORE MOVING TO PRODUCTION
'key' => $key,
'secret' => $secretKey,
],
]);
// CREATE S3 BUCKET
try {
$result = $s3Client->createBucket([
'Bucket' => $BUCKET_NAME,
]);
} catch (AwsException $e) {
echo $e->getMessage();
echo "n";
}
// SET CORS RULES
$cors = array(array(
'AllowedOrigins' => array($domain, $stagingDomain),
'AllowedMethods' => array('POST', 'GET', 'PUT'),
'MaxAgeSeconds' => 3000,
'AllowedHeaders' => array('*')
));
// ADD CORS RULES
$result = $s3Client->putBucketCors(array(
'Bucket' => $BUCKET_NAME,
'CORSConfiguration' => array('CORSRules' => $cors)
));
// CREATE IAM POLICY - BREAKS ON THIS, MALFORMED POLICY???
$myManagedPolicy = '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "' . $s3Arn . '"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "'. $s3Arn . '/*"
}
]
}';
try {
$result = $iamClient->createPolicy(array(
// PolicyName is required
'PolicyName' => $policyName,
// PolicyDocument is required
'PolicyDocument' => $myManagedPolicy
));
//var_dump($result);
$policyArn = $result['Policy']['Arn'];
} catch (AwsException $e) {
// output error message if fails
error_log($e->getMessage());
echo $e->getMessage();
}
// ATTACH IAM POLICY TO USER
try {
$attachedUserPolicies = $iamClient->getIterator('ListAttachedUserPolicies', ([
'UserName' => $userName,
]));
if (count($attachedUserPolicies) > 0) {
foreach ($attachedUserPolicies as $attachedUserPolicy) {
if ($attachedUserPolicy['PolicyName'] == $policyName) {
echo $policyName . " is already attached to this role. n";
exit();
}
}
}
$result = $iamClient->attachUserPolicy(array(
// UserName is required
'UserName' => $userName,
// PolicyArn is required
'PolicyArn' => $policyArn,
));
//var_dump($result);
} catch (AwsException $e) {
// output error message if fails
error_log($e->getMessage());
echo $e->getMessage();
}
不要按原样使用此代码,也不应该像我在本测试示例中那样将访问密钥直接添加到代码中。您应该研究在SDK中进行身份验证的各种方法,并使用最适合您的情况的方法。