質問編集履歴
3
修正
test
CHANGED
File without changes
|
test
CHANGED
@@ -176,17 +176,9 @@
|
|
176
176
|
|
177
177
|
{
|
178
178
|
|
179
|
-
"Condition": {
|
180
|
-
|
181
|
-
"StringEquals": {
|
182
|
-
|
183
|
-
|
179
|
+
"Sid": "PutObjectForLimitedTargets",
|
184
|
-
|
185
|
-
|
180
|
+
|
186
|
-
|
187
|
-
},
|
188
|
-
|
189
|
-
"
|
181
|
+
"Effect": "Deny",
|
190
182
|
|
191
183
|
"Action": [
|
192
184
|
|
@@ -194,60 +186,6 @@
|
|
194
186
|
|
195
187
|
],
|
196
188
|
|
197
|
-
"Effect": "Allow",
|
198
|
-
|
199
|
-
"Sid": "StaticRule01"
|
200
|
-
|
201
|
-
},
|
202
|
-
|
203
|
-
{
|
204
|
-
|
205
|
-
"Condition": {
|
206
|
-
|
207
|
-
"ForAllValues:Null": {
|
208
|
-
|
209
|
-
"s3:x-amz-grant-write": true,
|
210
|
-
|
211
|
-
"s3:x-amz-grant-read": true,
|
212
|
-
|
213
|
-
"s3:x-amz-grant-read-acp": true,
|
214
|
-
|
215
|
-
"s3:x-amz-acl": true,
|
216
|
-
|
217
|
-
"s3:x-amz-grant-full-control": true,
|
218
|
-
|
219
|
-
"s3:x-amz-grant-write-acp": true
|
220
|
-
|
221
|
-
}
|
222
|
-
|
223
|
-
},
|
224
|
-
|
225
|
-
"Resource": "*",
|
226
|
-
|
227
|
-
"Action": [
|
228
|
-
|
229
|
-
"s3:PutObject"
|
230
|
-
|
231
|
-
],
|
232
|
-
|
233
|
-
"Effect": "Allow",
|
234
|
-
|
235
|
-
"Sid": "StaticRule02"
|
236
|
-
|
237
|
-
},
|
238
|
-
|
239
|
-
{
|
240
|
-
|
241
|
-
"Sid": "PutObjectForLimitedTargets",
|
242
|
-
|
243
|
-
"Effect": "Deny",
|
244
|
-
|
245
|
-
"Action": [
|
246
|
-
|
247
|
-
"s3:PutObject"
|
248
|
-
|
249
|
-
],
|
250
|
-
|
251
189
|
"NotResource": [
|
252
190
|
|
253
191
|
"arn:aws:s3:::hogehoge-bucket/*",
|
2
putobjectのポリシー内制約記載
test
CHANGED
File without changes
|
test
CHANGED
@@ -26,6 +26,28 @@
|
|
26
26
|
|
27
27
|
|
28
28
|
|
29
|
+
######### 以下追記 ##############
|
30
|
+
|
31
|
+
いろいろ検証してみたところ、
|
32
|
+
|
33
|
+
s3:PutObjectのみ別ポリシー(制約)
|
34
|
+
|
35
|
+
で設定しているポリシー内のStaticRule01, StaticRule02のどちらの条件にも
|
36
|
+
|
37
|
+
CodePipelineからのアクセスが合致していないことが根本原因のようです
|
38
|
+
|
39
|
+
|
40
|
+
|
41
|
+
1, CodePipelineからのアクセスが上記どちらかのルールに合致するように設定することはそもそも可能なのか
|
42
|
+
|
43
|
+
2, 可能である場合どのように行えばよいか
|
44
|
+
|
45
|
+
|
46
|
+
|
47
|
+
ご教授いただきたいです
|
48
|
+
|
49
|
+
######### 追記ここまで ############
|
50
|
+
|
29
51
|
### 発生している問題・エラーメッセージ
|
30
52
|
|
31
53
|
CodePipelineのSourceフェーズでエラー
|
@@ -130,14 +152,124 @@
|
|
130
152
|
|
131
153
|
```
|
132
154
|
|
155
|
+
|
156
|
+
|
157
|
+
|
158
|
+
|
159
|
+
|
160
|
+
|
133
161
|
|
134
162
|
|
135
163
|
以下の権限を許可したポリシーをCodePipelineのサービスロールにアタッチしています
|
136
164
|
|
165
|
+
|
166
|
+
|
167
|
+
s3:PutObjectのみ別ポリシー(制約)
|
168
|
+
|
137
169
|
```json
|
138
170
|
|
139
171
|
{
|
140
172
|
|
173
|
+
"Version": "2012-10-17",
|
174
|
+
|
175
|
+
"Statement": [
|
176
|
+
|
177
|
+
{
|
178
|
+
|
179
|
+
"Condition": {
|
180
|
+
|
181
|
+
"StringEquals": {
|
182
|
+
|
183
|
+
"s3:x-amz-acl": "private"
|
184
|
+
|
185
|
+
}
|
186
|
+
|
187
|
+
},
|
188
|
+
|
189
|
+
"Resource": "*",
|
190
|
+
|
191
|
+
"Action": [
|
192
|
+
|
193
|
+
"s3:PutObject"
|
194
|
+
|
195
|
+
],
|
196
|
+
|
197
|
+
"Effect": "Allow",
|
198
|
+
|
199
|
+
"Sid": "StaticRule01"
|
200
|
+
|
201
|
+
},
|
202
|
+
|
203
|
+
{
|
204
|
+
|
205
|
+
"Condition": {
|
206
|
+
|
207
|
+
"ForAllValues:Null": {
|
208
|
+
|
209
|
+
"s3:x-amz-grant-write": true,
|
210
|
+
|
211
|
+
"s3:x-amz-grant-read": true,
|
212
|
+
|
213
|
+
"s3:x-amz-grant-read-acp": true,
|
214
|
+
|
215
|
+
"s3:x-amz-acl": true,
|
216
|
+
|
217
|
+
"s3:x-amz-grant-full-control": true,
|
218
|
+
|
219
|
+
"s3:x-amz-grant-write-acp": true
|
220
|
+
|
221
|
+
}
|
222
|
+
|
223
|
+
},
|
224
|
+
|
225
|
+
"Resource": "*",
|
226
|
+
|
227
|
+
"Action": [
|
228
|
+
|
229
|
+
"s3:PutObject"
|
230
|
+
|
231
|
+
],
|
232
|
+
|
233
|
+
"Effect": "Allow",
|
234
|
+
|
235
|
+
"Sid": "StaticRule02"
|
236
|
+
|
237
|
+
},
|
238
|
+
|
239
|
+
{
|
240
|
+
|
241
|
+
"Sid": "PutObjectForLimitedTargets",
|
242
|
+
|
243
|
+
"Effect": "Deny",
|
244
|
+
|
245
|
+
"Action": [
|
246
|
+
|
247
|
+
"s3:PutObject"
|
248
|
+
|
249
|
+
],
|
250
|
+
|
251
|
+
"NotResource": [
|
252
|
+
|
253
|
+
"arn:aws:s3:::hogehoge-bucket/*",
|
254
|
+
|
255
|
+
"arn:aws:s3:::hogehoge-bucket"
|
256
|
+
|
257
|
+
]
|
258
|
+
|
259
|
+
}
|
260
|
+
|
261
|
+
]
|
262
|
+
|
263
|
+
}
|
264
|
+
|
265
|
+
```
|
266
|
+
|
267
|
+
|
268
|
+
|
269
|
+
```json
|
270
|
+
|
271
|
+
{
|
272
|
+
|
141
273
|
"Version": "2012-10-17",
|
142
274
|
|
143
275
|
"Statement": [
|
@@ -150,8 +282,6 @@
|
|
150
282
|
|
151
283
|
"Action": [
|
152
284
|
|
153
|
-
"s3:PutObject",
|
154
|
-
|
155
285
|
"s3:PutAnalyticsConfiguration",
|
156
286
|
|
157
287
|
"s3:GetObjectVersionTagging",
|
1
マスキング後バケット名統一
test
CHANGED
File without changes
|
test
CHANGED
@@ -334,7 +334,7 @@
|
|
334
334
|
|
335
335
|
],
|
336
336
|
|
337
|
-
"Resource": "arn:aws:s3:::hogehoge"
|
337
|
+
"Resource": "arn:aws:s3:::hogehoge-bucket"
|
338
338
|
|
339
339
|
},
|
340
340
|
|