AWS ApiGateway代理到非公共S3存储桶

下面的cloudformation脚本设置了一个代理S3 bucket的Api网关方法。

S3BucketPolicy将bucket开放给公共读取访问,但是awsui警告说,永远不要这样做。

我试着制定一个政策 Principal

1) 限制对API网关函数的bucket访问的正确方法是什么(样品(最好是YAML)

2) 如何调试此拒绝访问失败,以获取有关失败原因的更多信息?

3) 我应该在哪里寻找一个非常标准的模板片段的示例代码?

尝试#1-工作,但只有使S3存储桶公开,否则访问被拒绝

AWSTemplateFormatVersion: 2010-09-09

Parameters:
  S3BucketName:
    Type: String
    Description: >
      Name for the S3 bucket that contains the nested templates.

Resources:
  RestAPI:
    Type: 'AWS::ApiGateway::RestApi'
    Properties:
      BinaryMediaTypes: 
            - '*/*'
      Name: !Ref 'AWS::StackName'

  RestAPIRootGET:
    Type: 'AWS::ApiGateway::Method'
    Properties:
      AuthorizationType: NONE
      HttpMethod: GET
      Integration:
        IntegrationHttpMethod: GET
        PassthroughBehavior: WHEN_NO_MATCH
        Type: HTTP_PROXY
        Uri: !Sub https://${S3BucketName}.s3.amazonaws.com/static-assets/index.html
      ResourceId: !GetAtt RestAPI.RootResourceId
      RestApiId: !Ref RestAPI
    DependsOn:
      - RestAPI

  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref S3BucketName
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Sid: GetObject
            Effect: Allow
            Principal: "*"
            Action:
              - s3:*
            Resource:
              - !Sub 'arn:aws:s3:::${S3BucketName}/static-assets/*'

我认为现在的方法可能是创建一个可以访问bucket的角色,然后让ApiGateway承担这个角色,但是我很难找到说明如何在cloudformation模板中执行此操作的文档(另请参见Michael-sqlbot注释(建议使用方法的credentials属性)

尝试#2-拒绝访问

AWSTemplateFormatVersion: 2010-09-09

Parameters:
  S3BucketName:
    Type: String
    Description: >
      Name for the S3 bucket that contains the nested templates.


Resources:

  RestAPI:
    Type: 'AWS::ApiGateway::RestApi'
    Properties:
      BinaryMediaTypes: 
            - '*/*'
      Name: !Ref 'AWS::StackName'

  RestAPIRootGET:
    Type: 'AWS::ApiGateway::Method'
    Properties:
      AuthorizationType: NONE
      HttpMethod: GET
      Integration:
        IntegrationHttpMethod: GET
        PassthroughBehavior: WHEN_NO_MATCH
        Type: HTTP_PROXY
        Uri: !Sub https://${S3BucketName}.s3.amazonaws.com/static-assets/index.html
        Credentials: !GetAtt AllowStaticAccessRole.Arn
      ResourceId: !GetAtt RestAPI.RootResourceId
      RestApiId: !Ref RestAPI
    DependsOn:
      - RestAPI
      - AllowStaticAccessRole

  AllowStaticAccessRole: 
    Type: "AWS::IAM::Role"
    Properties: 
      AssumeRolePolicyDocument: 
        Version: "2012-10-17"
        Statement: 
          - 
            Effect: "Allow"
            Principal: 
              Service: 
                - "apigateway.amazonaws.com"
            Action: 
              - "sts:AssumeRole"
      Path: "/"
      Policies: 
        - 
          PolicyName: "AllowStaticAccessPolicy"
          PolicyDocument: 
            Version: "2012-10-17"
            Statement: 
              - 
                Effect: "Allow"
                Action:
                  - s3:*
                Resource:
                  - !Sub 'arn:aws:s3:::${S3BucketName}/static-assets/*'