以下cloudformation脚本设置代理S3存储桶的Api网关方法 .

S3BucketPolicy打开了桶以进行公共读访问,但AWS UI警告说永远不应该这样做 .

我尝试将S3BucketPolicy Principal 设置为apigateway.amazonaws.com,但这会导致拒绝访问 .

1)限制对API网关功能的桶访问的正确方法是什么? (样本YAML会很棒)

2)如何调试此拒绝访问失败以获取有关失败原因的更多信息?

3)我应该在哪里寻找应该是非常标准的模板片段的示例代码?

ATTEMPT #1 - Works but only by making the S3 Bucket Public otherwise Access Denied

AWSTemplateFormatVersion: 2010-09-09

Parameters:
  S3BucketName:
    Type: String
    Description: >
      Name for the S3 bucket that contains the nested templates.

Resources:
  RestAPI:
    Type: 'AWS::ApiGateway::RestApi'
    Properties:
      BinaryMediaTypes: 
            - '*/*'
      Name: !Ref 'AWS::StackName'

  RestAPIRootGET:
    Type: 'AWS::ApiGateway::Method'
    Properties:
      AuthorizationType: NONE
      HttpMethod: GET
      Integration:
        IntegrationHttpMethod: GET
        PassthroughBehavior: WHEN_NO_MATCH
        Type: HTTP_PROXY
        Uri: !Sub https://${S3BucketName}.s3.amazonaws.com/static-assets/index.html
      ResourceId: !GetAtt RestAPI.RootResourceId
      RestApiId: !Ref RestAPI
    DependsOn:
      - RestAPI

  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref S3BucketName
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Sid: GetObject
            Effect: Allow
            Principal: "*"
            Action:
              - s3:*
            Resource:
              - !Sub 'arn:aws:s3:::${S3BucketName}/static-assets/*'

我想也许马上就是创建一个可以访问存储桶的角色然后让ApiGateway承担这个角色,但是我很难找到解释如何在 Cloud 形态模板中执行此操作的文档 . (另请参阅Michael - sqlbot评论建议使用该方法的credentials属性)

这是我的尝试仍然失败与Access Denied

ATTEMPT #2 - Access Denied

AWSTemplateFormatVersion: 2010-09-09

Parameters:
  S3BucketName:
    Type: String
    Description: >
      Name for the S3 bucket that contains the nested templates.


Resources:

  RestAPI:
    Type: 'AWS::ApiGateway::RestApi'
    Properties:
      BinaryMediaTypes: 
            - '*/*'
      Name: !Ref 'AWS::StackName'

  RestAPIRootGET:
    Type: 'AWS::ApiGateway::Method'
    Properties:
      AuthorizationType: NONE
      HttpMethod: GET
      Integration:
        IntegrationHttpMethod: GET
        PassthroughBehavior: WHEN_NO_MATCH
        Type: HTTP_PROXY
        Uri: !Sub https://${S3BucketName}.s3.amazonaws.com/static-assets/index.html
        Credentials: !GetAtt AllowStaticAccessRole.Arn
      ResourceId: !GetAtt RestAPI.RootResourceId
      RestApiId: !Ref RestAPI
    DependsOn:
      - RestAPI
      - AllowStaticAccessRole

  AllowStaticAccessRole: 
    Type: "AWS::IAM::Role"
    Properties: 
      AssumeRolePolicyDocument: 
        Version: "2012-10-17"
        Statement: 
          - 
            Effect: "Allow"
            Principal: 
              Service: 
                - "apigateway.amazonaws.com"
            Action: 
              - "sts:AssumeRole"
      Path: "/"
      Policies: 
        - 
          PolicyName: "AllowStaticAccessPolicy"
          PolicyDocument: 
            Version: "2012-10-17"
            Statement: 
              - 
                Effect: "Allow"
                Action:
                  - s3:*
                Resource:
                  - !Sub 'arn:aws:s3:::${S3BucketName}/static-assets/*'
amazon-cloudformation aws-api-gateway