[英]Boto3 - S3 Bucket Policy Update
I am trying to modify the bucket policy of one of my buckets using boto3
.我正在尝试使用boto3
修改我的存储桶之一的存储桶boto3
。 Please refer to the following inital/existing bucket policy of the bucket:请参考以下桶的初始/现有桶策略:
{
"Version": "2012-10-17",
"Id": "Policy1604310539665",
"Statement": [
{
"Sid": "Stmt1604310537860",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxx:root"
},
"Action": [
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket",
"arn:aws:s3:::bucket*"
]
}
]
}
I am trying to modify the above policy using the following piece of code, I am trying to attach one more role to the bucket policy :我正在尝试使用以下代码段修改上述策略,我正在尝试将另一个角色附加到存储桶策略:
import boto3
import json
s3 = boto3.client('s3')
result = s3.get_bucket_policy(Bucket=bucket_name)
policy_statement=json.loads(result['Policy'])
store = policy_statement['Statement'][0]['Principal']['AWS']
del policy_statement['Statement'][0]['Principal']['AWS']
if(isinstance(store, str)):
role_arn_list = [role_arn] + [store]
policy_statement['Statement'][0]['Principal'].update({"AWS": role_arn_list})
else:
role_arn_list = [role_arn] + store
policy_statement['Statement'][0]['Principal'].update({"AWS": role_arn_list})
# Convert the policy from JSON dict to string
policy_new = json.dumps(policy_statement)
# Update the policy of the given bucket
s3 = boto3.client('s3')
s3.put_bucket_policy(Bucket=bucket_name, Policy=policy_new)
The above code works fine, but when I try to put the policy to the bucket I am getting a MalformedPolicy
exception.上面的代码工作正常,但是当我尝试将策略放入存储桶时,我收到了MalformedPolicy
异常。 when I tried to debug and find the policy that is created using the above code, I can see the following policy:当我尝试调试并找到使用上述代码创建的策略时,我可以看到以下策略:
{
'Version': '2012-10-17',
'Id': 'Policy1604310539665',
'Statement': [{
'Sid': 'Stmt1604310537860',
'Effect': 'Allow',
'Principal': {
'AWS': ['arn:aws:iam::xxx:role/xx-xx-xx', 'arn:aws:iam::xx:root',
'AROAVCQ6H5MBRCO7T5NKB'
]
},
'Action': ['s3:ListBucket', 's3:PutObject'],
'Resource': ['arn:aws:s3:::bucket', 'arn:aws:s3:::bucket/*']
}]
}
Problem: I am not able to understand from where the random string AROAVCQ6H5MBRCO7T5NKB
is coming and how to handle this?问题:我无法理解随机字符串AROAVCQ6H5MBRCO7T5NKB
以及如何处理?
An identifier starting with AROA
is a unique ID for an IAM Role, much like an Access Key always starts with AKIA
.以AROA
开头的标识符是 IAM 角色的唯一 ID,就像访问密钥总是以AKIA
开头AKIA
。
See: IAM identifiers - AWS Identity and Access Management请参阅: IAM 标识符 - AWS Identity and Access Management
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.