使用Paperclip访问拒绝S3
[英]Access Denied S3 with Paperclip
问题描述
I'm getting acquainted with using S3 with ruby to upload files to Amazon Web Service. 
我熟悉使用S3和ruby将文件上传到Amazon Web Service。 I recently was confronted with the following error: AWS::S3::Errors::AccessDenied Access Denied . 我最近遇到了以下错误: AWS::S3::Errors::AccessDenied Access Denied 。 In poking around on google, I found this post on the error. 在谷歌上四处寻找,我发现这篇文章的错误。 It claims that the bucket policies aren't sufficient to allow access via the web-app and that the user must be given "Administrator Access" as well. 它声称存储桶策略不足以允许通过Web应用程序进行访问,并且用户也必须获得“管理员访问权限”。
I've given this a try and it works fine but I feel like this is an indication that I'm not doing it right, given that administrator access isn't mentioned in any other documentation I've read. 我已经尝试了这个并且它工作正常但我觉得这表明我做得不对,因为在我读过的任何其他文档中都没有提到管理员访问权限。 I'm using the aws-sdk gem. 我正在使用aws-sdk gem。 Could anyone weigh in on whether admin access is necessary? 任何人都可以权衡管理员访问是否必要? Many thanks! 非常感谢!
3 个解决方案
解决方案1
7 2016-08-13 23:48:44
None of the existing answers actually state which policies you need to grant, so here they are: s3:PutObject , s3:DeleteObject , and s3:PutObjectAcl . 现有的答案都没有说明您需要授予哪些策略,因此它们是: s3:PutObject , s3:DeleteObject ,以及s3:PutObjectAcl 。
Here's the complete S3 bucket policy I'm using to allow Paperclip to put objects with the :public_read permission: 这是我用来允许Paperclip使用:public_read权限放置对象的完整S3存储桶策略:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::IAM_USER_ID:user/IAM_USER_NAME"
},
"Action": [
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::S3_BUCKET_NAME/*"
}
]
}
解决方案2
6 2016-04-12 15:32:38
As explained in the accepted answer, you should not need "Admin Access". 如接受的答案中所述,您不应该需要“管理员访问权限”。 However, the typical policy for giving access to a bucket, as documented in some examples given by Amazon, could not be enough for paperclip. 但是,正如亚马逊给出的一些示例中所述,提供访问存储桶的典型策略对于回形针来说是不够的。
The following policy worked for me: 以下政策对我有用:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket-name-to-be-set-by-you"
]
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket-name-to-be-set-by-you/*"
]
}
]
}
解决方案3
5 已采纳 2015-10-03 05:52:12
You should not really need the Admin Access to achieve this. 您不应该真的需要Admin Access来实现这一目标。 Make sure you have AWS access_key_id and secret_access_key setup in your heroku config. 确保在heroku配置中设置了AWS access_key_id和secret_access_key 。 And, you also would need to make sure your user account has an Access Policy set in the AWS IAM Console. 而且,您还需要确保您的用户帐户在AWS IAM控制台中设置了Access Policy 。
See this post for some more info. 有关更多信息,请参阅此帖子 。
The default permission for Paperclip is :public_read unless you specify the bucket to be private. 除非您将存储桶指定为私有,否则Paperclip的默认权限为:public_read 。
See this for information about Module: Paperclip::Storage::S3 有关Module:Paperclip :: Storage :: S3的信息,请参阅此处
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.