我想将快照从Elasticache导出到S3。通过遵循文档,这是相对容易的手动设置的。但是,我想通过使用Terraform以编程方式进行此操作。
在文档中指出:
5. Choose Access Control List.
<snip />
8. Set the permissions on the bucket by choosing Yes for:
a. List objects
b. Write objects
c. Read bucket permissions
我无法在Terraform文档中找到可以在存储桶上设置这些权限的任何地方。我确实找到了一些文档,将上述权限映射到IAM政策权限,并将其应用于存储策略。不幸的是,我仍然会收到以下错误:
呼叫CopySnapShot操作时发生错误(无效(
代码
设置S3桶:
data "aws_iam_policy_document" "my_backups" {
statement {
actions = [
"s3:GetBucketAcl",
"s3:ListBucket",
"s3:PutObject",
"s3:DeleteObject",
]
resources = [
"arn:aws:s3:::my-backups",
"arn:aws:s3:::my-backups/*",
]
principals {
type = "CanonicalUser"
identifiers = ["540804c33a284a299d2547575ce1010f2312ef3da9b3a053c8bc45bf233e4353"]
}
}
}
resource "aws_s3_bucket" "my_backups" {
bucket = "my-backups"
policy = "${data.aws_iam_policy_document.my_backups.json}"
}
github
我找到了与此相关的两个问题(尚未合并的代码(:
- 支持存储桶ACL
- ACL赠款的实施
我猜想这可能是不可能的,直到解决了这两个问题之一。
基于错误,似乎您是ElasticCache主体,无法读取Buckets访问控制策略权限。您需要根据此页面添加一些额外的权限https://docs.aws.amazon.com/amazonelastiveache/latest/red-ug/backups-exporting.html#backups-exporting-grant-grant-corporting-grant-access-grant-access
{
"Statement":
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
}
"Version": "2012-10-17"
}