Terraform ELB S3 Permissions Issue

前端未结

关注

 3  1727

执笔经年 2020-12-10 02:37

I am having an issue using Terraform (v0.9.2) adding services to an ELB (I\'m using: https://github.com/segmentio/stack/blob/master/s3-logs/main.tf).

When I run

3条回答

伪装坚强ぢ (楼主)

2020-12-10 02:59

The docs for ELB access logs say that you want to allow a specific Amazon account to be able to write to S3, not your account.

As such you want something like:

{
  "Id": "Policy1429136655940",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1429136633762",
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my-loadbalancer-logs/my-app/AWSLogs/123456789012/*",
      "Principal": {
        "AWS": [
          "652711504416"
        ]
      }
    }
  ]
}

In Terraform you can use the aws_elb_service_account data source to automatically fetch the account ID used for writing logs as can be seen in the example in the docs:

data "aws_elb_service_account" "main" {}

resource "aws_s3_bucket" "elb_logs" {
  bucket = "my-elb-tf-test-bucket"
  acl    = "private"

  policy = <