[英]AmazonS3FullAccess managed policy on a group doesn't give S3 permission?
I have an S3 bucket that has in its policy permission for my CloudFront origin access identity: 我有一个S3存储桶,它具有我的CloudFront原始访问标识的策略权限:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <mine>"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<my-bucket>/*"
}
]
}
Additionally I've created a group and attached the AmazonS3FullAccess managed policy to it and added an IAM user to that group. 此外,我创建了一个组并将AmazonS3FullAccess托管策略附加到该组,并向该组添加了IAM用户。 The managed policy looks like this:
托管策略如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
However when that user tries to add anything to the bucket, I get a 403 (access denied). 但是,当该用户尝试向存储桶添加任何内容时,我会收到403(访问被拒绝)。 I'm unsure if any other operations work, I haven't written code to try them.
我不确定是否有其他操作有效,我还没有编写代码来尝试它们。 It's only when I specifically allow that user's ARN access to the bucket directly in the bucket policy that they're allowed to add objects.
只有当我特意允许该用户的ARN直接在存储桶策略中访问存储桶时,才允许他们添加对象。 What am I missing?
我错过了什么? It seems like the above group policy should allow members of that group access to all operations in all buckets, but it doesn't do that.
看起来上面的组策略应该允许该组的成员访问所有存储桶中的所有操作,但它不会这样做。
EDIT: After a whole bunch more poring over documentation, I think I've figured out that Amazon doesn't intend for groups to be used this way. 编辑:经过一大堆更多关于文档,我想我已经发现亚马逊不打算以这种方式使用组。 They want you to use roles instead, which you can assign to an EC2 instance for automagic credential management.
他们希望您使用角色,您可以将其分配给EC2实例以进行自动凭据管理。 That's fine, but then I can't figure out how to test my code (using the aws-sdk Ruby gem) locally.
这很好,但后来我无法弄清楚如何在本地测试我的代码(使用aws-sdk Ruby gem)。 Amazon says to define environment variables for your access ID and key - but what access ID and key?
亚马逊表示要为您的访问ID和密钥定义环境变量 - 但访问ID和密钥是什么? There's no such thing for a role...
角色没有这样的事情......
Try replacing (in your policy): 尝试更换(在您的政策中):
"Resource": "arn:aws:s3:::<my-bucket>/*"
with: 有:
"Resource": ["arn:aws:s3:::<my-bucket>", "arn:aws:s3:::<my-bucket>/*",]
and: 和:
"Principal": {"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <mine>"},
with: 有:
"Principal": {"AWS": "arn:aws:iam::ACCOUNT_ID:user/USERNAME"},
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.