无法下载通过共享帐户S3存储桶上传的文件
[英]Can't download files uploaded by shared account s3 bucket
问题描述
I have created a bucket on amazon s3 and added bucket policy giving another user account access to upload files to it. 
我已经在Amazon s3上创建了存储桶,并添加了存储桶策略,该策略为另一个用户帐户提供了向其上传文件的访问权限。 I added the following bucket policy. 我添加了以下存储桶策略。
However, now I am myself unable to download the files uploaded by the sharer. 但是,现在我自己无法下载共享者上传的文件。 I guess I havn't given them acl rights. 我想我没有给他们ACL权利。 How should I proceed to download the files. 我应该如何继续下载文件。 Can they grant permission from their end for their uploaded files? 他们可以从头开始授予其上传文件的权限吗?
{
"Version": "2008-10-17",
"Id": "Policyxxxxxxxxxxxx",
"Statement": [
{
"Sid": "Stmtxxxxxxxxxxxxx",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_number>:root"
},
"Action": [
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<bucket_name>/*"
},
{
"Sid": "Stmtxxxxxxxxxxx",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_number>:root"
},
"Action": [
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::<bucket_name>"
}
]
}
4 个解决方案
解决方案1
7 已采纳 2014-04-09 05:22:35
So the problem is that the amazon s3 bucket applies bucket policy to only objects owned by bucket owner. 因此,问题在于,Amazon S3存储桶仅将存储桶策略应用于存储桶拥有者拥有的对象。 So if you are the bucket owner and gave put object permission through bucket policy that mean you also need to make sure they give you permission during the object upload. 因此,如果您是存储区所有者,并通过存储区策略授予了放置对象权限,则意味着您还需要确保他们在对象上载期间授予您权限。 While granting cross-account permissions to upload objects one can restrict only objects which comes with read permission only. 授予跨帐户上传对象的权限时,只能限制具有读取权限的对象。
Source: http://docs.aws.amazon.com/AmazonS3/latest/dev/AccessPolicyLanguage_UseCases_s3_a.html Related discussion : https://forums.aws.amazon.com/thread.jspa?messageID=524342&%20#524342 Example bucket policy : 来源: http : //docs.aws.amazon.com/AmazonS3/latest/dev/AccessPolicyLanguage_UseCases_s3_a.html相关讨论: https : //forums.aws.amazon.com/thread.jspa ?messageID=524342&%20#524342示例桶策略:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"111",
"Effect":"Allow",
"Principal":{
"AWS":"1111111111"
},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::examplebucket/*"
},
{
"Sid":"112",
"Effect":"Deny",
"Principal":{
"AWS":"1111111111"
},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::examplebucket/*",
"Condition":{
"StringNotEquals":{
"s3:x-amz-grant-full-control":[
"emailAddress=xyz@amazon.com"
]
}
}
}
]
}
解决方案2
1 2017-10-12 15:33:51
Was facing a similar situation that the destination account was not granted full access that the bucket policy granting cloudfront read access does not work. 面临类似的情况,即目标帐户未获得完全访问权限,而授予Cloudfront读取访问权限的存储桶策略不起作用。
In addition to OP's "s3:x-amz-grant-full-control":[ "emailAddress=xyz@amazon.com" ] , or id=xxx , another way is to use the Canned ACL . 除了OP的"s3:x-amz-grant-full-control":[ "emailAddress=xyz@amazon.com" ]或id=xxx ,另一种方法是使用Canned ACL 。 By using the bucket-owner-full-control , we do not have to list a specific email or canonical id. 通过使用bucket-owner-full-control ,我们不必列出特定的电子邮件或规范ID。
{
"Statement":[
{
"Effect":"Allow",
"Principal":{"AWS":"111111111111"},
"Action":"s3:PutObject",
"Resource":["arn:aws:s3:::examplebucket/*","arn:aws:s3:::examplebucket"]
},
{
"Effect":"Deny",
"Principal":{"AWS":"111111111111"},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::examplebucket/*",
"Condition": {
"StringNotEquals": {"s3:x-amz-acl":"bucket-owner-full-control"}
}
}
]
}
解决方案3
0 2015-01-07 15:50:13
I faced a similar problem 我遇到了类似的问题
I copied files from <sharerprofile> to a new amazon account in the bucket <bucketname> and i could not download the files from the new amazon account because of access protection. 我将文件从<sharerprofile>复制到存储桶<bucketname>的新亚马逊帐户,由于访问保护,我无法从新亚马逊帐户下载文件。
So i did the following : 所以我做了以下事情:
aws --profile <sharerprofile> s3api put-object-acl --acl authenticated-read --bucket <bucketname> --key <pathofthefileInBucket>
I did not find how to do this automatically for multiple files, so i had to repeat the same command for each file 我没有找到针对多个文件自动执行此操作的方法,因此我必须对每个文件重复相同的命令
解决方案4
-1 2014-04-08 18:39:52
If your using IAM user account you should use the IAM Policy Tester to see exactly how those policy changes will look like once you have deployed them. 如果您使用的是IAM用户帐户,则应使用IAM策略测试器来查看部署后这些策略更改的确切样子。
http://docs.aws.amazon.com/IAM/latest/UsingPolicySimulatorGuide/iam-policy-simulator-guide.html http://docs.aws.amazon.com/IAM/latest/UsingPolicySimulatorGuide/iam-policy-simulator-guide.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.