使用Paperclip和IAM策略将文件上载到Amazon时拒绝访问
[英]Access Denied when uploading files to Amazon using Paperclip and IAM policies
问题描述
I am unable to get an upload working with Paperclip using an S3 IAM policy. 
我无法使用S3 IAM策略使用Paperclip上传。 I'm even having issues with direct jQuery uploads (no Paperclip). 我甚至遇到直接jQuery上传的问题(没有Paperclip)。 My scenario is as follows, I have an application that will have many sites. 我的方案如下,我有一个应用程序,将有许多网站。 Each site will have it's own bucket and should only be able to access their own bucket, nobody else's. 每个站点都有自己的桶,应该只能访问自己的桶,没有其他人可以访问。 The IAM Example Policies documentation explains exactly what I want to do under "Example: Allow each IAM user access to a folder in a bucket". IAM示例策略文档在“示例:允许每个IAM用户访问存储桶中的文件夹”下准确说明了我想要执行的操作。 I have an IAM group set up for the application and have one user per site within the group. 我为应用程序设置了一个IAM组,并且该组中的每个站点都有一个用户。 These IAM users belong to the group. 这些IAM用户属于该组。 The policy on the group is as follows: 该小组的政策如下:
{
"Version":"2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource":"arn:aws:s3:::my-app/${aws:username}/*"
}
]
}
Here is my CORS configuration on the bucket, for dev of course, it will get locked down later: 这是我在存储桶上的CORS配置,当然,dev会在以后被锁定:
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
Here are my Paperclip settings: 这是我的Paperclip设置:
has_attached_file :background_image,
storage: :s3,
s3_credentials: {
access_key_id: "xxx",
secret_access_key: "xxx"
},
bucket: "my-app",
s3_permissions: "public-read",
path: "/background_images/:id/:filename"
I was previously working with policies directly on the bucket, which did work but wasn't as flexible as I need it to be when I move into a production environment with many "sites". 我以前在使用策略时直接使用策略,这确实有效,但是当我进入具有许多“站点”的生产环境时,它不像我需要的那样灵活。 As far as I can tell I've followed the documentation exactly yet anything I do results in 'Access Denied'. 据我所知,我已完全遵循文档,但我所做的任何事都会导致“访问被拒绝”。 At this point I'm not even sure if my issue is with my IAM policy or my Paperclip configuration. 此时我甚至不确定我的问题是我的IAM策略还是我的Paperclip配置。
edit: clarification. 编辑:澄清。
edit 2: FINAL SOLUTION 编辑2:最终解决方案
Here is my final IAM policy based on this article : 以下是基于本文的最终IAM策略:
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-app"],
"Condition":{"StringEquals":{"s3:prefix":["","home/"],"s3:delimiter":["/"]}}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::estimator-app"],
"Condition":{"StringLike":{"s3:prefix":["home/${aws:username}/*"]}}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::my-app/home/${aws:username}/*"]
}
]
}
And my updated Paperclip settings: 我更新的Paperclip设置:
has_attached_file :background_image,
storage: :s3,
s3_credentials: {
access_key_id: "xxx",
secret_access_key: "xxx"
},
bucket: "estimator-app",
s3_permissions: "public-read",
path: "/home/my_s3_username/background_images/:id/:filename"
It was important to include the username in the Paperclip path. 在Paperclip路径中包含用户名非常重要。 I was assuming Amazon would infer that from the credentials but that's not the case. 我假设亚马逊会从凭证推断出这一点,但事实并非如此。
1 个解决方案
解决方案1
17 已采纳 2013-10-04 15:26:32
因为您尝试为上载的对象设置权限,所以还需要为IAM用户提供s3:PutObjectAcl权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.