将文件从 AWS S3 下载到本地文件时出现客户端错误 (403)
[英]Client error (403) when downloading file from AWS S3 to local file
问题描述
I uploaded several .zip files to my AWS S3 bucket a while back using the AWS CLI.
不久前,我使用 AWS CLI 将几个 .zip 文件上传到了我的 AWS S3 存储桶。 Now I can't seem to download those files when using the following command:现在我在使用以下命令时似乎无法下载这些文件:
aws s3 cp s3://mybucket/test.zip test2.zip
because it yields the following error:因为它会产生以下错误:
A client error (403) occurred when calling the HeadObject operation: Forbidden
Completed 1 part(s) with ... file(s) remaining
How can I resolve this issue?我该如何解决这个问题?
Edit:编辑:
Running the following command shows the existing bucket policies运行以下命令显示现有存储桶策略
aws s3api get-bucket-policy --bucket mybucket
{
"Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Example permissions\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::221234567819:root\"},\"Action\":[\"s3:ListBucket\",\"s3:GetBucketLocation\"],\"Resource\":\"arn:aws:s3:::mybucket\"},{\"Sid\":\"Examplepermissions\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::221234567819:root\"},\"Action\":[\"s3:PutObject\",\"s3:AbortMultipartUpload\",\"s3:PutObjectAcl\",\"s3:GetObject\",\"s3:DeleteObject\",\"s3:GetObjectAcl\",\"s3:ListMultipartUploadParts\",\"s3:PutObjectAcl\"],\"Resource\":\"arn:aws:s3:::mybucket/*\"}]}"
}
2 个解决方案
解决方案1
3 2016-10-07 04:04:55
This is most likely one of three causes: 这很可能是三个原因之一:
- either that one of your policies is not permitting you to read the resources (yes, it's possible to have write permissions but not read permissions), or 您的一项政策不允许您读取资源(是的,可能有写权限但没有读权限),或者
- that your client environment is no longer setup with the correct credentials. 您的客户端环境不再使用正确的凭据进行设置。
- you don't have ListBucket permission and the file is not present (it returns 403 instead of 404, as if you don't have ListBucket, you shouldn't be able to tell if a file exists or not). 您没有ListBucket权限并且文件不存在(它返回403而不是404,就好像您没有ListBucket一样,您不应该知道文件是否存在)。
For 1, S3 objects can be secured by either Bucket Policies, User Policies or ACLs and there are complex interactions between the 3. See http://docs.aws.amazon.com/AmazonS3/latest/dev/s3-access-control.html for more details. 对于1,可以通过存储桶策略,用户策略或ACL保护S3对象,并且3之间可以进行复杂的交互。请参阅http://docs.aws.amazon.com/AmazonS3/latest/dev/s3-access-control .html了解更多详细信息。
If you update your question with details of relevant user polices, bucket policies and ACLs I could take a look and see if anything explains the symptom. 如果您使用相关的用户策略,存储桶策略和ACL的详细信息更新问题,那么我可以看看是否有任何症状可以解释。
Edit: 编辑:
Reviewing the included bucket policy, it appears to be tied to the root principal. 查看包含的存储桶策略,它似乎与根主体相关联。 Are you using root credentials for the aws s3 cli? 您是否正在使用AWS S3 CLI的根凭据? If you are using an IAM user, you will need to modify the Principal (See http://docs.aws.amazon.com/AmazonS3/latest/dev/s3-bucket-user-policy-specifying-principal-intro.html ) 如果您使用的是IAM用户,则需要修改Principal(请参阅http://docs.aws.amazon.com/AmazonS3/latest/dev/s3-bucket-user-policy-specifying-principal-intro.html )
解决方案2
0 2021-11-22 10:10:07
Add "arn:aws:s3:::your-bucket-name" together with "arn:aws:s3:::your-bucket-name/*" to Recourses in your policy.将"arn:aws:s3:::your-bucket-name"和"arn:aws:s3:::your-bucket-name/*"到您的保单中的Recourses中。 Also, you may need non-obvious "s3:ListBucket" permission and maybe some other permissions.此外,您可能需要非明显的"s3:ListBucket"权限以及其他一些权限。
My policy that works for downloading files in lambda function:我的适用于在 lambda 函数中下载文件的策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::XXXXX-pics",
"arn:aws:s3:::XXXXX-pics/*"
]
}
]
}
It is attached to the Lambda function role.它附加到 Lambda 函数角色。 No bucket policy attached to the bucket was needed.不需要附加到存储桶的存储桶策略。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.