[英]Policy Denying Access On Amazon S3
Using s3cmd the policy below allows me to ListAllBuckets like this : 使用s3cmd,下面的策略允许我这样ListAllBuckets:
s3cmd ls
and ListBucket like this : 和ListBucket像这样:
s3cmd ls s3://backups/
but I cannot upload a file like this : 但是我不能上传这样的文件:
s3cmd put filename s3://backups/
I just get this error : 我刚得到这个错误:
ERROR: S3 error: Access Denied
The policy is based on searching and many examples on the web, but I just cannot see where it's going wrong. 该策略基于搜索和网络上的许多示例,但我只是看不到哪里出了问题。 The policy is to allow a user to just upload files to a backup directory (ultimately I don't even what them to list the buckets but I put that in just to check the policy was in fact being read at all).
该策略是允许用户仅将文件上传到备份目录(最后,我什至没有列出存储桶的文件,但我只是为了检查该策略是否实际上已被读取)。
Other possibly relevant info - 其他可能相关的信息-
Here's the policy, note that the CreateObject and PutObject were the only two original entries, the others were added almost just to see what happened : 这是政策,请注意,CreateObject和PutObject是仅有的两个原始条目,添加了其他两个条目只是为了看看发生了什么:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl",
"s3:CreateObject",
"s3:*"
],
"Resource": "arn:aws:s3:::backups/*"
}
]
}
EDIT 1 - 编辑1-
Just to say that if I add this policy it works fine, so I know it's something to do with my policy : 只是说,如果我添加此策略,则效果很好,所以我知道这与我的策略有关:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
EDIT 2 - I have made another policy which I have used to create a bucket called "asdwasw432", just in case for whatever reason my UI created bucket was unusable. 编辑2-我制定了另一个策略,我曾用它来创建一个名为“ asdwasw432”的存储桶,以防万一我的UI创建的存储桶不可用。 But I still cannot upload any file to it (Access Denied).
但是我仍然无法上传任何文件(访问被拒绝)。 I can list the bucket and create new buckets.
我可以列出存储桶并创建新的存储桶。 All the advice seems to tell me to do exactly what I am doing below, but none if it works.
所有的建议似乎都告诉我要完全按照下面的步骤做,但如果可行,则什么也没有。 Am I missing something else?
我还有其他东西吗?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1397834652000",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "Stmt1397834745000",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::asdwasw432",
"arn:aws:s3:::asdwasw432/*"
]
}
]
}
Well, I've fixed it but I'm still confused. 好吧,我已经解决了,但我仍然很困惑。
Turns out that when I ran 原来我跑的时候
s3cmd --configure
I accepted the default region of "US". 我接受了“美国”的默认区域。 This should have been set to "us-east-1".
应将其设置为“ us-east-1”。 I found this out by running debug
我通过运行调试发现了这一点
s3cmd -d ..etc...
This showed me a line that contained this - 这向我显示了包含此内容的一行-
'reason': 'Bad Request', 'data': '<?xml version="1.0"
encoding="UTF-8"?>\n<Error><Code>AuthorizationHeaderMalformed</Code>
<Message>The authorization header is malformed; the region \'US\' is
wrong; expecting \'us-east-1\'</Message><Region>us-east-1</Region>
Rerunning the config and correcting the region solved it. 重新运行配置并更正区域即可解决该问题。
Please could someone explain why I was able to make it work at all with an incorrect region if the region was in fact the issue? 如果有人实际上是问题所在,请解释一下为什么我能够在不正确的地方使用它吗? Most recently I got everything to work by making
最近,我通过
Action : "*"
which led me down another dead end of assuming I must be using the wrong commands. 这使我陷入另一场死胡同,即我必须使用错误的命令。 Just for completeness, this policy works for me (as long as the region is correct!) :
仅出于完整性考虑,此政策对我有效(只要区域正确!):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::asdwasw432",
"arn:aws:s3:::asdwasw432/*"
]
}
]
}
One final note, I have attached this policy to the user instead of the group. 最后一点,我已将此策略附加到用户而不是组。 This makes sense for my usage but when I asked the question I was attaching it to a group and adding the user to that group.
这对我的用法很有意义,但是当我问这个问题时,我是将其附加到一个组并将用户添加到该组。 Not sure if that will make a difference or not.
不确定是否会有所作为。
"Resource": "arn:aws:s3:::backups/*"
...should be... ...应该...
"Resource": "arn:aws:s3:::your_bucket_name/backups/*"
The *
you are using elsewhere is working somewhat by accident, because it'a being interpreted as "all my buckets." 您在其他地方使用的
*
在某种程度上是偶然的,因为它被解释为“我所有的水桶”。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.