[英]S3 AccessDenied doesn't match policy
I have the following policy: 我有以下政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "StmtXXX",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::MYBUCKET"
]
}
]
}
(yes, I intend to scope back the s3:*
when I get it working) (是的,我打算在我开始工作的时候回顾s3:*
)
The following list bucket operation works OK: 以下列表桶操作正常:
$ aws s3 ls s3://MYBUCKET/test --profile MYPROFILE --region eu-west-1
2016-11-30 15:21:13 16712119 test
But a PUT won't work 但是PUT不起作用
$ aws s3 cp /tmp/test2 s3://MYBUCKET/test2 --profile MYPROFILE --region eu-west-1
upload failed: ../../../../tmp/test2 to s3://MYBUCKET/test2
A client error (AccessDenied) occurred when calling the CreateMultipartUpload operation: Access Denied
Parameter validation failed:
Invalid type for parameter UploadId, value: None, type: <type 'NoneType'>, valid types: <type 'basestring'>
I've tried this in the IAM Policy Simulator and it seems like it should work. 我在IAM策略模拟器中试过这个,看起来它应该可行。 I've verified that the keys correspond to the correct user. 我已经确认密钥对应于正确的用户。
(I've also tried with my own credentials and the operations work fine, so I don't think it's a syntax error) (我也尝试使用自己的凭据,操作正常,所以我认为这不是语法错误)
Should this work? 这有用吗? Any ideas why it isn't? 任何想法为什么不是?
The answer to this seems to be that the IAM policy can take some time to propagate. 答案似乎是IAM策略可能需要一些时间来传播。 This went from not working, to being intermittent, to working. 这从不工作,到间歇,到工作。
So if you face an inexplicable situation, wait a few minutes. 所以,如果你面临一个莫名其妙的情况,请等几分钟。
You need to enter the bucket contents as a resource separately from the bucket itself if you are specifying the bucket and object actions in the same statement 如果要在同一语句中指定存储桶和对象操作,则需要将存储桶内容作为资源与存储桶本身分开输入
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "StmtXXX",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::MYBUCKET",
"arn:aws:s3:::MYBUCKET/*"
]
}
]
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.