堆栈内存溢出
  简体   繁体   English

某个组上的AmazonS3FullAccess托管策略是否未授予S3权限?

[英]AmazonS3FullAccess managed policy on a group doesn't give S3 permission?

 原文  2015-02-26 12:20:05       amazon-web-services/ amazon-s3

问题描述

I have an S3 bucket that has in its policy permission for my CloudFront origin access identity: 我有一个S3存储桶,它具有我的CloudFront原始访问标识的策略权限: 

{
  "Version": "2008-10-17",
  "Id": "PolicyForCloudFrontPrivateContent",
  "Statement": [
    {
      "Sid": "1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <mine>"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<my-bucket>/*"
    }
  ]
}

Additionally I've created a group and attached the AmazonS3FullAccess managed policy to it and added an IAM user to that group. 此外,我创建了一个组并将AmazonS3FullAccess托管策略附加到该组,并向该组添加了IAM用户。 The managed policy looks like this: 托管策略如下所示: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}

However when that user tries to add anything to the bucket, I get a 403 (access denied). 但是,当该用户尝试向存储桶添加任何内容时,我会收到403(访问被拒绝)。 I'm unsure if any other operations work, I haven't written code to try them. 我不确定是否有其他操作有效,我还没有编写代码来尝试它们。 It's only when I specifically allow that user's ARN access to the bucket directly in the bucket policy that they're allowed to add objects. 只有当我特意允许该用户的ARN直接在存储桶策略中访问存储桶时,才允许他们添加对象。 What am I missing? 我错过了什么? It seems like the above group policy should allow members of that group access to all operations in all buckets, but it doesn't do that. 看起来上面的组策略应该允许该组的成员访问所有存储桶中的所有操作,但它不会这样做。

EDIT: After a whole bunch more poring over documentation, I think I've figured out that Amazon doesn't intend for groups to be used this way. 编辑:经过一大堆更多关于文档,我想我已经发现亚马逊不打算以这种方式使用组。 They want you to use roles instead, which you can assign to an EC2 instance for automagic credential management. 他们希望您使用角色,您可以将其分配给EC2实例以进行自动凭据管理。 That's fine, but then I can't figure out how to test my code (using the aws-sdk Ruby gem) locally. 这很好,但后来我无法弄清楚如何在本地测试我的代码(使用aws-sdk Ruby gem)。 Amazon says to define environment variables for your access ID and key - but what access ID and key? 亚马逊表示要为您的访问ID和密钥定义环境变量 - 但访问ID和密钥是什么? There's no such thing for a role... 角色没有这样的事情......

1 个解决方案

解决方案1
 0  2018-02-28 03:24:38

Try replacing (in your policy): 尝试更换(在您的政策中): 

"Resource": "arn:aws:s3:::<my-bucket>/*"

with: 有: 

"Resource": ["arn:aws:s3:::<my-bucket>", "arn:aws:s3:::<my-bucket>/*",]

and: 和: 

"Principal": {"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <mine>"},

with: 有: 

"Principal": {"AWS": "arn:aws:iam::ACCOUNT_ID:user/USERNAME"},

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 S3:即使附加了 AmazonS3FullAccess,访问也被拒绝 - S3: Access Denied even with AmazonS3FullAccess attached 在 AdministratorAccess 和 Amazons3FullAccess 之间选择哪个策略 - Which policy to choose between AdministratorAccess and Amazons3FullAccess 在 node.js 中删除 object 时出现 aws/sdk 错误,即使在 AmazonS3FullAccess 之后,更正存储桶策略并且不阻止任何公共访问 - aws/sdk error on deleting object in node js even after AmazonS3FullAccess, correct bucket policy and not blocking any public access AWS Glue Crawler 访问被拒绝并附加 AmazonS3FullAccess - AWS Glue Crawler Access Denied with AmazonS3FullAccess attached S3 AccessDenied与策略不匹配 - S3 AccessDenied doesn't match policy 对S3存储桶的IAM策略的权限被拒绝 - Permission denied for IAM policy to S3 bucket 为什么我的AWS S3存储桶策略不会覆盖我的IAM策略? - Why Doesn't My AWS S3 Bucket Policy Override My IAM Policy? Amazon IAM权限将S3FullAccess权限限制为一个存储桶 - Amazon IAM permissions limit S3FullAccess permission to one bucket AmazonS3Exception:拒绝访问S3 - AmazonS3Exception: Access Denied S3 S3 存储桶策略上的 AWS 根用户权限被拒绝 - AWS Root User Permission Denied on S3 Bucket policy
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM