I'm trying to add a policy to my (static website) S3 bucket to let only the CloudFormation distribution accessing it, but during deployment I still get a MalformedPolicy
error and cannot find where is the problem.
CloudFormation template essential parts
Resources:
BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
DependsOn:
- AppBucket
- CloudFrontDistribution
Properties:
Bucket: !Ref AppBucket
PolicyDocument:
Id: MyPolicy
Version: 2012-10-17
Statement:
- Sid: PolicyForCloudFrontPrivateContent
Action: 's3:GetObject*'
Effect: Allow
Condition:
StringLike:
'aws:Referer':
- !Sub 'https://*.${CloudFrontDistribution}.cloudfront.net/*'
Resource:
- !Sub arn:aws:s3:::${AppBucket}
CloudFrontDistribution:
# ...
AppBucket:
# ...
Deployment error
(...)
CloudFormation events from stack operations (refresh every 0.5 seconds)
---------------------------------------------------------------------------------------------------------------------------------------------
ResourceStatus ResourceType LogicalResourceId ResourceStatusReason
---------------------------------------------------------------------------------------------------------------------------------------------
UPDATE_IN_PROGRESS AWS::S3::BucketPolicy BucketPolicy -
UPDATE_FAILED AWS::S3::BucketPolicy BucketPolicy Missing required field Principal
(Service: Amazon S3; Status Code:
400; Error Code: MalformedPolicy;
Request ID: DG2QHRDJQ2WS6JZV; S3
Extended Request ID: 6u LYv77A4Ao
DmKmyB4Sfup rueC1iGAQ82GdkfHimIZL
X/HXUPWj2FKSq7WCgi41F4XU6z6BOk=;
Proxy: null)
UPDATE_ROLLBACK_IN_PROGRESS AWS::CloudFormation::Stack test-app-hosting The following resource(s) failed
to update: [BucketPolicy].
UPDATE_COMPLETE AWS::S3::BucketPolicy BucketPolicy -
UPDATE_ROLLBACK_COMPLETE_CLEANUP_ AWS::CloudFormation::Stack test-app-hosting -
IN_PROGRESS
UPDATE_ROLLBACK_COMPLETE AWS::CloudFormation::Stack test-app-hosting -
---------------------------------------------------------------------------------------------------------------------------------------------
Error: Failed to create/update the stack: test-app-hosting, Waiter StackUpdateComplete failed: Waiter encountered a terminal failure state: For expression "Stacks[].StackStatus" we matched expected path: "UPDATE_ROLLBACK_COMPLETE" at least once
Update #1
As bot @luk2302 and @Marcin pointed out, I were missing the Statement
> Principal
section (feel pretty dumb about it), but adding it gives now a new error:
---------------------------------------------------------------------------------------------------------------------------------------------
ResourceStatus ResourceType LogicalResourceId ResourceStatusReason
---------------------------------------------------------------------------------------------------------------------------------------------
UPDATE_IN_PROGRESS AWS::S3::BucketPolicy BucketPolicy -
UPDATE_FAILED AWS::S3::BucketPolicy BucketPolicy Invalid policy syntax. (Service:
Amazon S3; Status Code: 400;
Error Code: MalformedPolicy;
Request ID: NH6PZB3QF0747F4N; S3
Extended Request ID: xdXOFPWgHCjg
Lzf4gdjCg79NIXS6qtmtLuGn8N7NeLIOJ
4Qw2bgSJ2v6MKdNzbrMCWCEPKBc90E=;
Proxy: null)
UPDATE_ROLLBACK_IN_PROGRESS AWS::CloudFormation::Stack test-app-hosting The following resource(s) failed
to update: [BucketPolicy].
CodePudding user response:
Resource
is incorrectly intended, and you are missing Principal
as described in AWS docs. It should be:
BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
DependsOn:
- AppBucket
- CloudFrontDistribution
Properties:
Bucket: !Ref AppBucket
PolicyDocument:
Id: MyPolicy
Version: 2012-10-17
Statement:
- Sid: PolicyForCloudFrontPrivateContent
Action: 's3:GetObject*'
Effect: Allow
Principal:
Service: cloudfront.amazonaws.com
Resource:
- !Sub arn:aws:s3:::${AppBucket}
Condition:
StringLike:
'aws:Referer':
- !Sub 'https://*.${CloudFrontDistribution}.cloudfront.net/*'
CodePudding user response:
Ok, after a lot of trial and error I found that the main problem where giving Resource
and Condition.StringLike.aws:Referer
array values instead of strings:
Wrong
Resource:
- !Sub arn:aws:s3:::${AppBucket}
Condition:
StringLike:
'aws:Referer':
- !Sub 'https://*.${CloudFrontDistribution}.cloudfront.net/*'
Right
Resource: !Sub arn:aws:s3:::${AppBucket}
Condition:
StringLike:
'aws:Referer': !Sub 'https://*.${CloudFrontDistribution}.cloudfront.net/*'