事象
Access Denied for bucket: <S3バケット名>. Please check S3bucket permission nlb
原因
- サービスアカウントからS3バケットへの書込み権限がないため。
解決策
- S3 のバケットポリシーで以下のようにサービスアカウントからのアクセスを許可する。
{
"Version": "2012-10-17",
"Id": "AWSConsole-AccessLogs-Policy-1601391827684",
"Statement": [
{
"Sid": "AWSConsoleStmt-1601391827686",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::582318560864:root"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::elb-log/AWSLogs/123456789023/*"
},
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::elb-log/AWSLogs/123456789023/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "AWSLogDeliveryAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::elb-log"
}
]
}