AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

S3 put_bucket_policy API failing with invalid principal error .... when it shouldn't

0

Testing a script that creates a bucket (with a bucket policy and some other configuration stuff), IAM role, IAM policy, and ties these all together to create a role that can be assumed to put data into a new bucket. I have added buffer timers into the script to allow for the fact that some of these elements don't immediately take effect. BUT ... I had an error where for 30 minutes I could not apply a bucket policy because it kept seeing the IAM Role as an invalid principal. I play around with it this for 30 minutes. I could get other roles to work in the bucket policy, but not the newly create one. I stepped aside and when I came back hours later it just worked.
Is there any SLA on when a role can be assigned to a bucket policy. In most cases 30 seconds seems to be enough time, but I need to plan for this edge condition.

주제
스토리지보안, 신원 및 규정 준수
태그
아마존 심플 스토리지 서비스IAM 정책
언어
English
Michael R
질문됨 5달 전153회 조회
1개 답변
0
수락된 답변

Hello.

I think this is due to the IAM transmission delay problem that occurred a while ago.
It is thought that there was a problem in which the newly created IAM settings took a long time to be reflected, so they could not be referenced in the S3 bucket policy.
a

[RESOLVED] IAM Propagation delays

[07:52 PM PST] Beginning at 5:27 PM PST, IAM role and policy changes stopped propagating to some regions, as mentioned in an earlier update. By 7:18 PM PST, we had identified the root cause, which allowed earlier submitted changes to begin propagating. As a backlog of changes had developed during that time, it took until 7:40 PM PST for that backlog to be fully processed. As of now, all IAM role and policy changes are propagating normally. Some dependent services are still processing their backlogs, as they fully recover they will report GREEN status on this event. No IAM changes were lost during this process, only delayed, so there is no need to re-submit any changes that may have been submitted during this time. They have all been fully propagated.

[07:18 PM PST] IAM role and policy changes submitted after 5:27 PM PST are not propagating to the following regions: US-EAST-1, US-EAST-2, US-WEST-1, US-WEST-2, AP-NORTHEAST-1, AP-NORTHEAST-2, AP-NORTHEAST-3, AP-SOUTH-1, AP-SOUTHEAST-1, AP-SOUTHEAST-2, CA-CENTRAL-1, EU-NORTH-1, EU-WEST-1, EU-WEST-2, EU-WEST-3, and SA-EAST-1. We have identified the cause of the issue, and are actively working towards mitigation. This issue is affecting creation of and changes to IAM roles, users, and policies. This is also affecting workflows that make changes to IAM, such as creating a new EKS cluster. Operations that authenticate or authorize against existing IAM configurations are not affected, such as retrieving an S3 object or invoking a Lambda function. We will provide another update within 30 minutes.

[06:57 PM PST] We are investigating increased propagation delays for AWS Identity and Access Management (IAM). Newly created or recently updated IAM users, credentials, roles, policies are impacted. Authentication and authorization of existing users, credentials, roles, policies are not impacted.

profile picture
전문가
Riku_Kobayashi
답변함 5달 전
profile picture
전문가
Gary Mclean
검토됨 5달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠