如何限制用户仅查看特定存储桶
[英]How to restrict user to view only specific buckets
问题描述
I have a set of users: user1 and user2.
我有一组用户:user1 和 user2。 Ideally they should have access to read and write in their own buckets.理想情况下,他们应该有权在自己的存储桶中进行读写。
I want to give them console access so they can login and upload the data in S3 through drag and drop.我想为他们提供控制台访问权限,以便他们可以通过拖放登录并上传 S3 中的数据。
So I want to the ability of one user to view buckets of other users.所以我希望一个用户能够查看其他用户的存储桶。
I am using the following IAM policy:我正在使用以下 IAM 政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::user1_bucket",
"Condition": {}
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Resource": "arn:aws:s3:::user1_bucket/*",
"Condition": {}
}
]
}
But it does not show any bucket for the user.但它没有为用户显示任何存储桶。 All the user can see is Access Denied .用户只能看到Access Denied 。 I tried to add principal in the policy:我试图在策略中添加主体:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::9xxxxxxxxxx:user/user1"},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::user1_bucket"
]
}
]
}
This gives an error.这给出了一个错误。
This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies
What can I do?我能做些什么?
2 个解决方案
解决方案1
0 2019-11-12 14:02:06
There are two ways you can do this.有两种方法可以做到这一点。
Bucket policies: You select who can access and control said bucket, by attaching a policy.存储桶策略:您可以通过附加策略访问和控制所述存储桶的 select。 Example for your case:您的案例示例:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "bucketAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS-account-ID:user/user-name"
},
"Action": [
"s3:GetObject",
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Resource": [
"arn:aws:s3:::examplebucket/*"
]
}
]
}
Source: Bucket Policy Examples - Amazon Simple Storage Service来源: 存储桶策略示例 - Amazon Simple Storage Service
Or you can give access through role policies , which I think is better.或者您可以通过角色策略授予访问权限,我认为这更好。 You almost had it, but you messed up at the end.你几乎拥有它,但最后你搞砸了。 Your policy should look something like this:您的政策应如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::examplebucket"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::examplebucket/"
}
]
}
Source: User Policy Examples - Amazon Simple Storage Service来源: 用户策略示例 - Amazon Simple Storage Service
I hope this helps.我希望这有帮助。
解决方案2
0 2019-11-19 22:42:31
It appears that your requirement is:看来您的要求是:
- Users should be able to use the Amazon S3 management console to access (view, upload, download) their own S3 bucket用户应该能够使用 Amazon S3 管理控制台访问(查看、上传、下载)他们自己的 S3 存储桶
- They should not be able to view the names of other buckets, nor access those buckets他们应该不能查看其他存储桶的名称,也不能访问这些存储桶
With listing buckets列出存储桶
The first requirement can be met with a policy like this:第一个要求可以通过这样的策略来满足:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AccessThisBucket",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
},
{
"Sid": "ListAllBucketForS3Console",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
}
This allow them to access their specific bucket, but it also allows them to list all bucket names .这允许他们访问他们的特定存储桶,但也允许他们列出所有存储桶名称。 This is a requirement of the Amazon S3 management console, since the first thing it does is list all of the buckets.这是 Amazon S3 管理控制台的要求,因为它首先要做的是列出所有存储桶。
Without listing buckets不列出存储桶
However, since you do not want to give these users the ability to list the names of all buckets, you could use a policy like this:但是,由于您不想让这些用户能够列出所有存储桶的名称,因此您可以使用如下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
This gives them full access to their own bucket, but they cannot list the names of other buckets.这使他们可以完全访问自己的存储桶,但他们无法列出其他存储桶的名称。
To use this in the management console, they will need to jump directly to their bucket using a URL like this:要在管理控制台中使用它,他们需要使用 URL直接跳转到他们的存储桶,如下所示:
https://console.aws.amazon.com/s3/buckets/my-bucket
This will then allow them to access and use their bucket.这将允许他们访问和使用他们的存储桶。
They will also be able to use AWS Command-Line Interface (CLI) commands like:他们还将能够使用AWS 命令行界面 (CLI)命令,例如:
aws s3 ls s3://my-bucket
aws s3 cp foo.txt s3://my-bucket/foo.txt
Bottom line: To use the management console without permission to list all buckets, they will need to use a URL that jumps straight to their bucket.底线:要在未经许可的情况下使用管理控制台列出所有存储桶,他们将需要使用直接跳转到其存储桶的 URL。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.