[英]AWS S3 bucket access control
In AWS, I (joe.doe@accountXYZ) created a S3 bucket, thus I am this s3 bucket owner. 在AWS中,我(joe.doe@accountXYZ)创建了一个S3存储桶,因此我是此s3存储桶的所有者。
I want to configure this S3 bucket based on the IAM role, thus only some IAM roles, such as [role_xyz, role_abc, role_cde], can can read this bucket. 我想基于IAM角色配置此S3存储桶,因此只有某些IAM角色(例如[role_xyz,role_abc,role_cde])可以读取此存储桶。
From the AWS console, it seems that I can not configure it. 从AWS控制台看,我似乎无法对其进行配置。
Can anyone tell me whether it is possible to do that? 谁能告诉我是否可以这样做?
======== ========
I understand that from the IAM role side you can configure a policy for this s3 resource. 我了解从IAM角色方面,您可以为此s3资源配置策略。 But my question here is on the s3 resource side, whether I can define a access policy based IAM roles. 但是我的问题是在s3资源方面,是否可以定义基于IAM角色的访问策略。
It appears that your requirement is to permit certain specific roles access to a particular Amazon S3 bucket. 看来您的要求是允许某些特定角色访问特定的Amazon S3存储桶。
There are two ways to do this: 有两种方法可以做到这一点:
Option 1: Add permissions to the Role 选项1:向角色添加权限
This is the preferred option. 这是首选选项。 You can add a policy to the IAM Role that grants access to the bucket. 您可以将策略添加到IAM角色,以授予对存储桶的访问权限。 It would look similar to: 它看起来类似于:
{
"Id": "Policy1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
]
}
]
}
This is a good method because you just add the policy to the desired Role(s), without having to touch the actual buckets. 这是一个很好的方法,因为您只需将策略添加到所需的角色,而无需接触实际的存储桶。
Option 2: Add a Bucket Policy 选项2:添加存储桶策略
This involves putting the permissions on the bucket , which grants access to a specific role. 这涉及将权限放到存储桶中 ,以授予对特定角色的访问权限。 This is less desirable because you would have to put the policy on every bucket and refer to every Role. 这是不太理想的,因为您必须将策略放在每个存储桶上并引用每个角色。
It would look something like: 它看起来像:
{
"Id": "Policy1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::my-bucket/*"
],
"Principal": "arn:aws:iam::123456789012:role/my-role"
}
]
}
Please note that these policies are granting s3:*
permissions on the bucket, that might be too wide for your purposes. 请注意,这些策略正在授予存储桶中的s3:*
权限,对于您的用途而言,该权限可能太宽了。 It is always best to only grant the specific, required permissions rather than granting all permissions. 始终最好只授予特定的必需权限,而不是授予所有权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.