[英]Why this AWS IAM policy only works with an asterisk on the resource?
I'm trying to download some files I already uploaded to S3 with some Python code, but I'm getting headaches trying to use a tight policy. 我正在尝试使用一些Python代码下载一些已经上传到S3的文件,但是尝试使用严格的策略时会感到头疼。
I can list all the files in the bucket, but when I try do download them with what I see as a correct policy, I get botocore.exceptions.ClientError: An error occurred (403) when calling the HeadObject operation: Forbidden
我可以列出存储桶中的所有文件,但是当我尝试使用正确的策略下载它们时,我得到botocore.exceptions.ClientError: An error occurred (403) when calling the HeadObject operation: Forbidden
Then, when I was trying to add a different policy that worked for 2 different buckets, I added part of the bucket's name, then the asterisk, and for some reason, the same exact thing worked. 然后,当我尝试添加适用于2个不同存储桶的不同策略时,我添加了存储桶名称的一部分,然后添加了星号,并且由于某种原因,同样的东西也起作用了。
So can someone tell me why this happens? 那么有人可以告诉我为什么会这样吗?
This for example, is what works like a charm: 例如,这就是一种魅力:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1499955913000",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::THE-BEGINING-OF-THE-NAME*"
}
]
}
But this doesn't: 但这不是:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1499955913000",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::THE-EXACT-COMPLETE-FULL-NAME"
}
]
}
I can add the python code for the download if it's relevant, but this questions seems long enough, and the code is pretty straightforward 如果相关,我可以添加用于下载的python代码,但是这个问题似乎足够长,并且代码非常简单
Seems I just needed some rubber duck debugging, the answer was I think counter intuitive, but easy: 似乎我只需要进行一些橡皮鸭调试,答案是我认为计数器很直观,但很简单:
It seems the ARN it's not only an identifier for the AWS resource itself, but also it's content. 似乎ARN不仅是AWS资源本身的标识符,而且还是内容。 So, when giving permissions, you need to give permissions to "the bucket" for listing it, and "the content" to download it 因此,在授予权限时,您需要授予“存储桶”的权限以列出它,并授予“内容”的下载权限
Which leads to a policy like this: 这导致了这样的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1499955913000",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::THE-EXACT-COMPLETE-FULL-NAME",
"arn:aws:s3:::THE-EXACT-COMPLETE-FULL-NAME/*"
}
]
}
Which, as I said, gives control over the bucket itself, with no asterisks, and whatever goes after the slash bar 正如我所说,它可以控制铲斗本身,不带星号,也可以控制斜杠后的所有东西
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.