如何为 s3 存储桶设置允许经过身份验证的用户列出存储桶或从存储桶中获取任何文件的策略
[英]How can I set a policy for an s3 bucket that allows authenticated users to list the bucket or get any file from the bucket
问题描述
I have set a permission on the bucket that allows "Authenticated Users" to list, upload, and delete from a bucket I created.
我在存储桶上设置了一个权限,允许“经过身份验证的用户”从我创建的存储桶中列出、上传和删除。 This seems to allow me to upload files to the bucket, but it appears that downloading files from the bucket is not covered by this permission, and I instead need to define a policy for the bucket.这似乎允许我将文件上传到存储桶,但似乎从存储桶下载文件不在此权限范围内,我需要为存储桶定义一个策略。 It's not clear to me how to set such a policy.我不清楚如何制定这样的政策。 I tried the policy generator with my best guesses at what I should fill in, but the result was not a valid policy when I pasted it in as a new policy for the bucket (it failed with the message Action does not apply to any resource(s) in statement - Action "s3:ListBucket" in Statement "Stmt-some-number" ).我用我最好的猜测尝试了策略生成器,我应该填写什么,但是当我将它作为存储桶的新策略粘贴时,结果不是一个有效的策略(它失败并显示消息Action does not apply to any resource(s) in statement - Action "s3:ListBucket" in Statement "Stmt-some-number" )。 Can someone explain what is wrong with the following policy and how to set it correctly to allow authenticated users to retrieve files from the bucket?有人可以解释以下策略有什么问题以及如何正确设置它以允许经过身份验证的用户从存储桶中检索文件吗?
{
"Id": "Policy-some-number",
"Statement": [
{
"Sid": "Stmt-some-number",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
4 个解决方案
解决方案1
91 2015-02-12 22:44:43
s3:GetObject applies to the objects in the bucket so the Resource is correct: "Resource": "arn:aws:s3:::my-bucket/*" . s3:GetObject适用于存储桶中的对象,因此 Resource 是正确的: "Resource": "arn:aws:s3:::my-bucket/*" 。
s3:ListBucket applies to the Bucket itself and so the Resource should be "Resource": "arn:aws:s3:::my-bucket" s3:ListBucket适用于 Bucket 本身,因此 Resource 应该是"Resource": "arn:aws:s3:::my-bucket"
your resulting policy should resemble:您产生的政策应该类似于:
{
"Id": "Policy-some-number",
"Statement": [
{
"Sid": "Stmt-some-number",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "Stmt-some-other-number",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
解决方案2
40 2016-04-11 14:14:25
Just to compliment @c4urself answer.只是为了赞美@c4urself 的回答。 the answer help solve my issue as well, but there is some indication from AWS documentation, which you can add more than one resource, just use [] to make them a list.答案也有助于解决我的问题,但 AWS 文档中有一些指示,您可以添加多个资源,只需使用 [] 将它们作为列表。 http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html#vpc-endpoints-s3-bucket-policies http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html#vpc-endpoints-s3-bucket-policies
{
"Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"]
}
]
}
解决方案3
0 2022-02-19 17:52:29
Just make the resource and array/list of resources and add an item to the list with /* as s3:GetObject applies to arn:aws:s3:::my_secure_bucket/*.只需创建资源和资源数组/列表,并使用 /* 添加一个项目到列表中,因为 s3:GetObject 适用于 arn:aws:s3:::my_secure_bucket/*。 See below见下文
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"
解决方案4
-1 2018-12-28 19:09:24
Update Bucket policy as below更新存储桶策略如下
{
"Version": "2012-10-17",
"Id": "Policy1546023103427",
"Statement": [
{
"Sid": "Stmt1546023101836",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::usagereports-atul",
"arn:aws:s3:::usagereports-atul/*"
]
}
]
} }
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.