[英]Amazon S3 bucket policy, what am I doing wrong?
I used the Policy Generator to create a simple rule for my bucket; 我使用策略生成器为我的存储桶创建了一条简单规则; the rules should allow the following intended effect:
该规则应具有以下预期效果:
To this purpose I wrote the following rule, but somethng didnt work as expected, and in particular, I have totally lost access to the bucket elements, was getting "Access Denied" in all cases, root included: 为此,我编写了以下规则,但是某件事没有按预期工作,特别是我完全失去了对存储桶元素的访问,在所有情况下都获得“访问被拒绝”,包括root:
edit : with @jarmod answer I was able to set the intended functionality, however it trigger a warning, about the bucket being public, I do not see the difference respect having no policy, the bucket is still publicly accessible for read-only. 编辑 :使用@jarmod答案,我能够设置预期的功能,但是它会触发有关存储桶公开的警告,我看不到没有政策的区别,存储桶仍可公开访问以只读。 What is the difference?
有什么区别?
Perhaps you could do this as follows: 也许您可以这样做,如下所示:
You could do this with a policy something like this: 您可以使用类似以下的策略来做到这一点:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::mybucket/*"
]
},
{
"Effect": "Deny",
"Principal": "*",
"NotAction": "s3:GetObject",
"Resource": [
"arn:aws:s3:::mybucket/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"iam-userid-here",
"root-userid-here"
]
}
}
}
]
}
To get iam-userid-here
, run aws iam list-users
and retrieve the UserId for the IAM user. 要
iam-userid-here
获取iam-userid-here
,请运行aws iam list-users
并检索IAM用户的UserId。
Similarly, to get root-userid-here
, simply retrieve the account number from the Arn of the previous aws iam list-users
output. 同样,要
root-userid-here
获得root-userid-here
,只需从先前的aws iam list-users
输出的Arn中检索帐号。 The root account userId is the AWS account number. 根帐户userId 是 AWS帐号。
The IAM user indicated by iam-userid-here
could then have an IAM policy allowing S3 access. 然后,由
iam-userid-here
指示的iam-userid-here
可以具有允许S3访问的IAM策略。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.