策略拒绝对Amazon S3的访问
[英]Policy Denying Access On Amazon S3
问题描述
Using s3cmd the policy below allows me to ListAllBuckets like this : 
使用s3cmd,下面的策略允许我这样ListAllBuckets:
s3cmd ls
and ListBucket like this : 和ListBucket像这样:
s3cmd ls s3://backups/
but I cannot upload a file like this : 但是我不能上传这样的文件:
s3cmd put filename s3://backups/
I just get this error : 我刚得到这个错误:
ERROR: S3 error: Access Denied
The policy is based on searching and many examples on the web, but I just cannot see where it's going wrong. 该策略基于搜索和网络上的许多示例,但我只是看不到哪里出了问题。 The policy is to allow a user to just upload files to a backup directory (ultimately I don't even what them to list the buckets but I put that in just to check the policy was in fact being read at all). 该策略是允许用户仅将文件上传到备份目录(最后,我什至没有列出存储桶的文件,但我只是为了检查该策略是否实际上已被读取)。
Other possibly relevant info - 其他可能相关的信息-
- I created the bucket using Dragon Disk (a front end for S3) with a different user 我使用Dragon Disk(S3的前端)和其他用户创建了存储桶
- This new IAM user is connected to the policy by belonging to a group that has the policy attached. 该新IAM用户通过属于附加了策略的组而连接到该策略。
Here's the policy, note that the CreateObject and PutObject were the only two original entries, the others were added almost just to see what happened : 这是政策,请注意,CreateObject和PutObject是仅有的两个原始条目,添加了其他两个条目只是为了看看发生了什么:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl",
"s3:CreateObject",
"s3:*"
],
"Resource": "arn:aws:s3:::backups/*"
}
]
}
EDIT 1 - 编辑1-
Just to say that if I add this policy it works fine, so I know it's something to do with my policy : 只是说,如果我添加此策略,则效果很好,所以我知道这与我的策略有关:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
EDIT 2 - I have made another policy which I have used to create a bucket called "asdwasw432", just in case for whatever reason my UI created bucket was unusable. 编辑2-我制定了另一个策略,我曾用它来创建一个名为“ asdwasw432”的存储桶,以防万一我的UI创建的存储桶不可用。 But I still cannot upload any file to it (Access Denied). 但是我仍然无法上传任何文件(访问被拒绝)。 I can list the bucket and create new buckets. 我可以列出存储桶并创建新的存储桶。 All the advice seems to tell me to do exactly what I am doing below, but none if it works. 所有的建议似乎都告诉我要完全按照下面的步骤做,但如果可行,则什么也没有。 Am I missing something else? 我还有其他东西吗?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1397834652000",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "Stmt1397834745000",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::asdwasw432",
"arn:aws:s3:::asdwasw432/*"
]
}
]
}
2 个解决方案
解决方案1
3 已采纳 2015-03-30 10:22:02
Well, I've fixed it but I'm still confused. 好吧,我已经解决了,但我仍然很困惑。
Turns out that when I ran 原来我跑的时候
s3cmd --configure
I accepted the default region of "US". 我接受了“美国”的默认区域。 This should have been set to "us-east-1". 应将其设置为“ us-east-1”。 I found this out by running debug 我通过运行调试发现了这一点
s3cmd -d ..etc...
This showed me a line that contained this - 这向我显示了包含此内容的一行-
'reason': 'Bad Request', 'data': '<?xml version="1.0"
encoding="UTF-8"?>\n<Error><Code>AuthorizationHeaderMalformed</Code>
<Message>The authorization header is malformed; the region \'US\' is
wrong; expecting \'us-east-1\'</Message><Region>us-east-1</Region>
Rerunning the config and correcting the region solved it. 重新运行配置并更正区域即可解决该问题。
Please could someone explain why I was able to make it work at all with an incorrect region if the region was in fact the issue? 如果有人实际上是问题所在,请解释一下为什么我能够在不正确的地方使用它吗? Most recently I got everything to work by making 最近,我通过
Action : "*"
which led me down another dead end of assuming I must be using the wrong commands. 这使我陷入另一场死胡同,即我必须使用错误的命令。 Just for completeness, this policy works for me (as long as the region is correct!) : 仅出于完整性考虑,此政策对我有效(只要区域正确!):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::asdwasw432",
"arn:aws:s3:::asdwasw432/*"
]
}
]
}
One final note, I have attached this policy to the user instead of the group. 最后一点,我已将此策略附加到用户而不是组。 This makes sense for my usage but when I asked the question I was attaching it to a group and adding the user to that group. 这对我的用法很有意义,但是当我问这个问题时,我是将其附加到一个组并将用户添加到该组。 Not sure if that will make a difference or not. 不确定是否会有所作为。
解决方案2
0 2015-03-28 00:58:12
"Resource": "arn:aws:s3:::backups/*"
...should be... ...应该...
"Resource": "arn:aws:s3:::your_bucket_name/backups/*"
The * you are using elsewhere is working somewhat by accident, because it'a being interpreted as "all my buckets." 您在其他地方使用的*在某种程度上是偶然的,因为它被解释为“我所有的水桶”。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.