允许 S3 访问 AWS 控制台中当前经过身份验证的用户的 S3 存储桶策略?
[英]S3 Bucket Policy to allow S3 Access to Current Authenicated user in AWS Console?
问题描述
I have an application where I am using Cognito to authenticate users and giving temporary access to AWS Console but that user is able to see all other buckets, I want that user just should be able to see or access buckets created by him.
我有一个应用程序,我在其中使用 Cognito 对用户进行身份验证并授予对 AWS 控制台的临时访问权限,但该用户能够查看所有其他存储桶,我希望该用户应该能够查看或访问他创建的存储桶。
Currently, I have given S3FullAccess Policy to Cognito users.目前,我已经向 Cognito 用户提供了 S3FullAccess 策略。 Can anyone suggest which policy I should attach?谁能建议我应该附加哪个政策?
As per my R&D, I can some policies are there that can restrict particular user or allow particular user but my users will be dynamic, so I cannot hard-code the values and also policies like allowing/restricting access to particular buckets, I want only users who create buckets should be able to access not other users.根据我的研发,我可以有一些策略可以限制特定用户或允许特定用户,但我的用户将是动态的,所以我不能硬编码这些值以及允许/限制访问特定存储桶的策略,我只想要创建存储桶的用户应该无法访问其他用户。
This is something which i found这是我发现的东西
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket-name",
"Condition": {
"StringLike": {
"s3:prefix": [
"",
"home/",
"home/${aws:userid}/*"
]
}
}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket-name/home/${aws:userid}",
"arn:aws:s3:::bucket-name/home/${aws:userid}/*"
]
}
]
}
But this is listing all buckets and the only accessible bucket is what put in the code above, I want for new user, it should show nothing and as it creates, it should show that only但这是列出所有存储桶,唯一可访问的存储桶是上面代码中的内容,我想要新用户,它不应该显示任何内容,并且在创建时,它应该显示只有
1 个解决方案
解决方案1
1 已采纳 2020-01-30 13:15:32
This is not going to be easy and you will need to create your own policy and enforce some conventions.这并不容易,您需要创建自己的策略并强制执行一些约定。 You have 3 options.您有 3 个选择。
But first, if each user just needs their own S3 space look at S3 Prefix [here]( https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-authentication-part-3-roles-and-policies/ ) Also, you can do this on the S3 resource bucket.但首先,如果每个用户只需要自己的 S3 空间,请查看 S3 前缀 [此处]( https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-authentication-part-3-roles-and- policy/ ) 此外,您可以在 S3 资源存储桶上执行此操作。 I have a template for doing this here in gitlab我有一个在 gitlab 中执行此操作的模板
Now back to answering your question.现在回到回答你的问题。
Option 1;选项1;They will need to set a tag when they create the bucket where an "owner" tag is equal to their identity.当他们创建“所有者”标签等于他们的身份的存储桶时,他们需要设置一个标签。I striked this one out because despite being listed in the IAM policy I'm pretty sure it doesn't work with S3.我删除了这个,因为尽管被列在 IAM 政策中,但我很确定它不适用于 S3。Option 2: The prefix of the bucket name is equal to their identity.
选项二:桶名前缀等于他们的身份。
Then you can use the feature of variables and tags in IAM Policy.然后您就可以使用 IAM Policy 中的变量和标签功能了。 Read here 在这里阅读
Note that coginto users are web federated identities so the variable aws:username is not aviable for you.请注意,coginto 用户是网络联合身份,因此变量 aws:username 对您不可用。 Use the aws:userid variable and the value will be role id:caller-specified-role-name where role id is the unique id of the role and the caller-specified-role-name is specified by the RoleSessionName parameter passed to the AssumeRoleWithWebIdentity request使用 aws:userid 变量,值将是角色 id:caller-specified-role-name 其中角色 id 是角色的唯一 id,调用者指定的角色名称由传递给 AssumeRoleWithWebIdentity 的 RoleSessionName 参数指定要求
- Option 3: Use IAM Access Policy选项 3:使用 IAM 访问策略
I can not find a link to the how to at the moment.我目前找不到方法的链接。 But from here is a detailed description.但从这里是一个详细的描述。
Q: How do I control what a federated user is allowed to do when signed in to the console?
The nice thing about this approach is you programmatically create the access policy.这种方法的好处是您可以以编程方式创建访问策略。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.