AWS S3 权限 - put-bucket-acl 错误
[英]AWS S3 permissions - error with put-bucket-acl
问题描述
I am trying to move an S3 bucket from one account (A) to another (B).
我正在尝试将 S3 存储桶从一个帐户 (A) 移动到另一个 (B)。 I have succeeded with that operation and remove the bucket from account A. I am trying to move the new bucket from account B to another bucket on account B, but learning that beside the bucket itself I have no access to the files.我已经成功完成了该操作并从账户 A 中删除了存储桶。我试图将新存储桶从账户 B 移动到账户 B 上的另一个存储桶,但了解到除了存储桶本身之外,我无法访问这些文件。 After much fighting with s3 cli and its permissions I checked s3api commands and found out that the files (surprise surprise) still holds the old ownership.在与 s3 cli 及其权限进行了s3api斗争后,我检查了s3api命令并发现这些文件(惊喜)仍然拥有旧的所有权。 I am trying now to change it, but came to a stand still with the put-bucket-acl , the JSON file isn't working for s3api command.我现在正在尝试更改它,但是在put-bucket-acl中s3api ,JSON 文件不适用于s3api命令。 I tried running the command in debug , but didn't make too much out of it.我尝试在 debug 中运行该命令,但并没有从中获得太多收益。 Anybody knows what to do ?有人知道该怎么做吗? Maybe a better way to solve this issue ?也许是解决这个问题的更好方法?
what I did so far: the command:到目前为止我做了什么:命令:
aws s3api put-bucket-acl --bucket my-bucket --cli-input-json file://1.json
(Same with put-object-acl) (与 put-object-acl 相同)
1.json file: 1.json文件:
"Grantee": {
"DisplayName": "account_B",
"EmailAddress": "user@mail.com",
"ID": "111111hughalphnumericnumber22222",
"Type": "CanonicalUser",
"Permission": "FULL_CONTROL"
}
The errors I get :我得到的错误:
Unknown parameter in input: "Grantee", must be one of: ACL, AccessControlPolicy, Bucket, ContentMD5, GrantFullControl, GrantRead, GrantReadACP, GrantWrite, GrantWriteACP Unknown parameter in input: "Permission", must be one of: ACL, AccessControlPolicy, Bucket, ContentMD5, GrantFullControl, GrantRead, GrantReadACP, GrantWrite, GrantWriteACP
UPDATE: AssumeRole between the 2 accounts doesn't work in my case.更新:两个帐户之间的 AssumeRole 在我的情况下不起作用。 cli (s3cmd,s3api) GUI (MCSTools,bucketexplorer), ACL using headers,body (Postman) did not help as well.. I'm connecting AWS support and hoping for the best. cli (s3cmd,s3api) GUI (MCSTools,bucketexplorer), ACL using headers,body (Postman) 也没有帮助..我正在连接 AWS 支持并希望最好。 I'll update when I have a solution.当我有解决方案时,我会更新。
4 个解决方案
解决方案1
2 已采纳 2016-12-28 07:53:36
So, AWS support came to the rescue... I'm leaving this for others to see, so they won't have to waste 2 days like I did trying to figure what the hell went wrong... 因此,AWS支持得以拯救...我将其留给其他人看,这样他们就不必像我试图弄清楚到底出了什么问题一样浪费2天的时间...
aws s3api get-object-acl --bucket <bucket_on_B> --key <Key_on_B_Owned_by_A> --profile IAM_User_A > A_to_B.json
apply the outcome of: 应用以下结果:
aws s3api get-bucket-acl --bucket <Bucket_on_B> --profile IAM_User_B
onto the json file that was created, and then run 到创建的json文件中,然后运行
aws s3api put-object-acl --bucket <Bucket_on_B> --key <Key_on_B_Owned_by_A> --access-control-policy file://A_to_B.json --profile IAM_User_A
解决方案2
1 2016-12-26 05:55:53
Your JSON is wrong. 您的JSON错误。 According to the documentation for the put-bucket-acl option you can generate valid JSON template ('skeleton') using --generate-cli-skeleton . 根据put-bucket-acl选项的文档 ,您可以使用--generate-cli-skeleton生成有效的JSON模板(“ skeleton”)。 For example: 例如:
aws s3api put-bucket-acl --bucket BUCKETNAME --generate-cli-skeleton
And here is the output: 这是输出:
{
"ACL": "",
"AccessControlPolicy": {
"Grants": [
{
"Grantee": {
"DisplayName": "",
"EmailAddress": "",
"ID": "",
"Type": "",
"URI": ""
},
"Permission": ""
}
],
"Owner": {
"DisplayName": "",
"ID": ""
}
},
"Bucket": "",
"ContentMD5": "",
"GrantFullControl": "",
"GrantRead": "",
"GrantReadACP": "",
"GrantWrite": "",
"GrantWriteACP": ""
}
解决方案3
0 2019-02-25 08:12:49
For anyone who's still looking to do this - OP probably looked at the right aws doc but overlooked the right command. 对于仍在执行此操作的任何人-OP可能会查看正确的AWS文档,但忽略了正确的命令。 I'm just glad I got to right command because of this stackoverflow page :) 由于这个stackoverflow页面,我很高兴能正确执行命令:)
https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-acl.html https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-acl.html
^^ The json syntax with example is present there and instead of --cli-input-json , use --access-control-policy ^^此处提供带示例的json语法,而不是--cli-input-json ,请使用--access-control-policy
{
"Grants": [
{
"Grantee": {
"DisplayName": "string",
"EmailAddress": "string",
"ID": "string",
"Type": "CanonicalUser"|"AmazonCustomerByEmail"|"Group",
"URI": "string"
},
"Permission": "FULL_CONTROL"|"WRITE"|"WRITE_ACP"|"READ"|"READ_ACP"
}
...
],
"Owner": {
"DisplayName": "string",
"ID": "string"
}
}
I had the policy as a json file and used this command it worked just fine. 我将策略作为json文件使用了此命令,效果很好。
aws s3api put-bucket-acl --bucket bucketname --access-control-policy file://yourJson.json
Also one more thing to note is that I wasn't able to add permissions along with existing ones, old acl was being overwritten. 另外要注意的一件事是,我无法与现有权限一起添加权限,旧的acl被覆盖了。 So any permission you want to add needs to be in json policy file along with existing policy. 因此,您要添加的任何权限都必须与现有策略一起放在json策略文件中。 It will be easier when you use some command to describe all the ACLs first. 首先使用一些命令描述所有ACL会更容易。
解决方案4
0 2021-11-30 15:44:52
The syntax is the following (with example):语法如下(示例):
aws s3api put-bucket-acl --bucket bucket_name --access-control-policy file://grant.json
grant.json file: grant.json 文件:
{
"Grants": [
{
"Grantee": {
"ID": "CANONICAL_ID_TO_GRANT",
"Type": "CanonicalUser"
},
"Permission": "WRITE"
},
{
"Grantee": {
"ID": "CANONICAL_ID_TO_GRANT",
"Type": "CanonicalUser"
},
"Permission": "READ"
}
],
"Owner": {
"DisplayName": "example_owner",
"ID": "CANONICAL_ID_OWNER"
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.