我有完整的 S3 权限，通过模拟器确认，但使用 AWS S3 SDK for Rails 拒绝访问

Question

I am attaching images to Ruby on Rails objects that simply uploads an image into S3.我将图像附加到 Rails 对象上的 Ruby，这些对象只是将图像上传到 S3。 When the rails record is destroyed, it's supposed to delete the S3 object with dependent: :purge_later当 rails 记录被销毁时，它应该删除 S3 object dependent: :purge_later

It seems like this is actually working, but I'm getting an error in the console that doesn't seem to make sense.看起来这实际上是有效的，但是我在控制台中遇到了一个似乎没有意义的错误。 For example, when the object is deleted, here's what Rails shows in the console:例如，当 object 被删除时，Rails 在控制台中显示如下：

Performing ActiveStorage::PurgeJob (Job ID: de894c78-5398-4b6e-b0c0-6b095063b97f) from Async(default) with arguments: #<GlobalID:0x00005620ed43c768 @uri=#<URI::GID gid://vspm/ActiveStorage::Blob/2899>>          
   (1.2ms)  BEGIN           
  ActiveStorage::Attachment Exists (1.6ms)  SELECT  1 AS one FROM "active_storage_attachments" WHERE "active_storage_attachments"."blob_id" = $1 LIMIT $2  [["blob_id", 2899], ["LIMIT", 1]]           
  ActiveStorage::Blob Destroy (1.7ms)  DELETE FROM "active_storage_blobs" WHERE "active_storage_blobs"."id" = $1  [["id", 2899]]           
   (2.0ms)  COMMIT          
  ActiveStorage::Attachment Load (1.4ms)  SELECT  "active_storage_attachments".* FROM "active_storage_attachments" WHERE "active_storage_attachments"."record_id" = $1 AND "active_storage_attachments"."record_type" = $2 AND "active_storage_attachments"."name" = $3 LIMIT $4  [["record_id", 2899], ["record_type", "ActiveStorage::Blob"], ["name", "preview_i
mage"], ["LIMIT", 1]]       
[Aws::S3::Client 204 0.288365 0 retries] delete_object(bucket:"my-bucket-name",key:"LiyJQK82y2XggmLHBXmcmukv")     
    
  S3 Storage (290.1ms) Deleted file from key: LiyJQK82y2XggmLHBXmcmukv      
[Aws::S3::Client 403 0.065125 0 retries] list_objects_v2(prefix:"variants/LiyJQK82y2XggmLHBXmcmukv/",bucket:"my-bucket-name") Aws::S3::Errors::AccessDenied Access Denied      
    
  S3 Storage (66.7ms) Deleted files by key prefix: variants/LiyJQK82y2XggmLHBXmcmukv/   
Error performing ActiveStorage::PurgeJob (Job ID: de894c78-5398-4b6e-b0c0-6b095063b97f) from Async(default) in 374.9ms: Aws::S3::Errors::AccessDenied (Access Denied):         
/usr/local/bundle/gems/aws-sdk-core-3.112.0/lib/seahorse/client/plugins/raise_response_errors.rb:17:in `call'      
/usr/local/bundle/gems/aws-sdk-s3-1.88.2/lib/aws-sdk-s3/plugins/sse_cpk.rb:24:in `call' 
/usr/local/bundle/gems/aws-sdk-s3-1.88.2/lib/aws-sdk-s3/plugins/dualstack.rb:36:in `call'         
/usr/local/bundle/gems/aws-sdk-s3-1.88.2/lib/aws-sdk-s3/plugins/accelerate.rb:50:in `call'        
/usr/local/bundle/gems/aws-sdk-core-3.112.0/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:22:in `call'
/usr/local/bundle/gems/aws-sdk-core-3.112.0/lib/aws-sdk-core/plugins/idempotency_token.rb:19:in `call' 
/usr/local/bundle/gems/aws-sdk-core-3.112.0/lib/aws-sdk-core/plugins/param_converter.rb:26:in `call'     
/usr/local/bundle/gems/aws-sdk-core-3.112.0/lib/seahorse/client/plugins/request_callback.rb:71:in `call' 
/usr/local/bundle/gems/aws-sdk-core-3.112.0/lib/aws-sdk-core/plugins/response_paging.rb:12:in `call'     
/usr/local/bundle/gems/aws-sdk-core-3.112.0/lib/seahorse/client/plugins/response_target.rb:24:in `call'
/usr/local/bundle/gems/aws-sdk-core-3.112.0/lib/seahorse/client/request.rb:72:in `send_request'   
/usr/local/bundle/gems/aws-sdk-s3-1.88.2/lib/aws-sdk-s3/client.rb:7878:in `list_objects_v2'  
/usr/local/bundle/gems/aws-sdk-s3-1.88.2/lib/aws-sdk-s3/bucket.rb:814:in `block in objects'       
/usr/local/bundle/gems/aws-sdk-core-3.112.0/lib/aws-sdk-core/resources/collection.rb:101:in `each'
/usr/local/bundle/gems/aws-sdk-core-3.112.0/lib/aws-sdk-core/resources/collection.rb:101:in `each'
/usr/local/bundle/gems/aws-sdk-core-3.112.0/lib/aws-sdk-core/resources/collection.rb:101:in `block in non_empty_batches'
/usr/local/bundle/gems/aws-sdk-s3-1.88.2/lib/aws-sdk-s3/object_summary.rb:1343:in `each'
/usr/local/bundle/gems/aws-sdk-s3-1.88.2/lib/aws-sdk-s3/object_summary.rb:1343:in `each' 
/usr/local/bundle/gems/aws-sdk-s3-1.88.2/lib/aws-sdk-s3/object_summary.rb:1343:in `batch_delete!'
/usr/local/bundle/gems/activestorage-5.2.4/lib/active_storage/service/s3_service.rb:55:in `block in delete_prefixed'
/usr/local/bundle/gems/activesupport-5.2.4/lib/active_support/notifications.rb:168:in `block in instrument'
/usr/local/bundle/gems/activesupport-5.2.4/lib/active_support/notifications/instrumenter.rb:23:in `instrument'
/usr/local/bundle/gems/activesupport-5.2.4/lib/active_support/notifications.rb:168:in `instrument'
/usr/local/bundle/gems/activestorage-5.2.4/lib/active_storage/service.rb:124:in `instrument'
/usr/local/bundle/gems/activestorage-5.2.4/lib/active_storage/service/s3_service.rb:54:in `delete_prefixed'
/usr/local/bundle/gems/activestorage-5.2.4/app/models/active_storage/blob.rb:174:in `delete'
/usr/local/bundle/gems/activestorage-5.2.4/app/models/active_storage/blob.rb:182:in `purge'
/usr/local/bundle/gems/activestorage-5.2.4/app/jobs/active_storage/purge_job.rb:8:in `perform'
/usr/local/bundle/gems/activejob-5.2.4/lib/active_job/execution.rb:39:in `block in perform_now'
/usr/local/bundle/gems/activesupport-5.2.4/lib/active_support/callbacks.rb:109:in `block in run_callbacks'
/usr/local/bundle/gems/i18n-1.8.9/lib/i18n.rb:314:in `with_locale'
/usr/local/bundle/gems/activejob-5.2.4/lib/active_job/translation.rb:9:in `block (2 levels) in <module:Translation>'
/usr/local/bundle/gems/activesupport-5.2.4/lib/active_support/callbacks.rb:118:in `instance_exec'
/usr/local/bundle/gems/activesupport-5.2.4/lib/active_support/callbacks.rb:118:in `block in run_callbacks'
/usr/local/bundle/gems/activejob-5.2.4/lib/active_job/logging.rb:26:in `block (4 levels) in <module:Logging>'
/usr/local/bundle/gems/activesupport-5.2.4/lib/active_support/notifications.rb:168:in `block in instrument'
/usr/local/bundle/gems/activesupport-5.2.4/lib/active_support/notifications/instrumenter.rb:23:in `instrument'
/usr/local/bundle/gems/activesupport-5.2.4/lib/active_support/notifications.rb:168:in `instrument'
/usr/local/bundle/gems/activejob-5.2.4/lib/active_job/logging.rb:25:in `block (3 levels) in <module:Logging>'
/usr/local/bundle/gems/activejob-5.2.4/lib/active_job/logging.rb:46:in `block in tag_logger'
/usr/local/bundle/gems/activesupport-5.2.4/lib/active_support/tagged_logging.rb:71:in `block in tagged'
/usr/local/bundle/gems/activesupport-5.2.4/lib/active_support/tagged_logging.rb:28:in `tagged'
/usr/local/bundle/gems/activesupport-5.2.4/lib/active_support/tagged_logging.rb:71:in `tagged'
/usr/local/bundle/gems/activejob-5.2.4/lib/active_job/logging.rb:46:in `tag_logger'
/usr/local/bundle/gems/activejob-5.2.4/lib/active_job/logging.rb:22:in `block (2 levels) in <module:Logging>'
/usr/local/bundle/gems/activesupport-5.2.4/lib/active_support/callbacks.rb:118:in `instance_exec'
/usr/local/bundle/gems/activesupport-5.2.4/lib/active_support/callbacks.rb:118:in `block in run_callbacks'
/usr/local/bundle/gems/activesupport-5.2.4/lib/active_support/callbacks.rb:136:in `run_callbacks'
/usr/local/bundle/gems/activejob-5.2.4/lib/active_job/execution.rb:38:in `perform_now'
/usr/local/bundle/gems/activejob-5.2.4/lib/active_job/execution.rb:24:in `block in execute'
/usr/local/bundle/gems/activesupport-5.2.4/lib/active_support/callbacks.rb:109:in `block in run_callbacks'
/usr/local/bundle/gems/activejob-5.2.4/lib/active_job/railtie.rb:28:in `block (4 levels) in <class:Railtie>'
/usr/local/bundle/gems/activesupport-5.2.4/lib/active_support/execution_wrapper.rb:87:in `wrap'
/usr/local/bundle/gems/activesupport-5.2.4/lib/active_support/reloader.rb:73:in `block in wrap'
/usr/local/bundle/gems/activesupport-5.2.4/lib/active_support/execution_wrapper.rb:87:in `wrap'
/usr/local/bundle/gems/activesupport-5.2.4/lib/active_support/reloader.rb:72:in `wrap'
/usr/local/bundle/gems/activejob-5.2.4/lib/active_job/railtie.rb:27:in `block (3 levels) in <class:Railtie>'
/usr/local/bundle/gems/activesupport-5.2.4/lib/active_support/callbacks.rb:118:in `instance_exec'
/usr/local/bundle/gems/activesupport-5.2.4/lib/active_support/callbacks.rb:118:in `block in run_callbacks'
/usr/local/bundle/gems/activesupport-5.2.4/lib/active_support/callbacks.rb:136:in `run_callbacks'
/usr/local/bundle/gems/activejob-5.2.4/lib/active_job/execution.rb:22:in `execute'
/usr/local/bundle/gems/activejob-5.2.4/lib/active_job/queue_adapters/async_adapter.rb:70:in `perform'
/usr/local/bundle/gems/concurrent-ruby-1.1.8/lib/concurrent-ruby/concurrent/executor/ruby_thread_pool_executor.rb:363:in `run_task'
/usr/local/bundle/gems/concurrent-ruby-1.1.8/lib/concurrent-ruby/concurrent/executor/ruby_thread_pool_executor.rb:352:in `block (3 levels) in create_worker'
/usr/local/bundle/gems/concurrent-ruby-1.1.8/lib/concurrent-ruby/concurrent/executor/ruby_thread_pool_executor.rb:335:in `loop'
/usr/local/bundle/gems/concurrent-ruby-1.1.8/lib/concurrent-ruby/concurrent/executor/ruby_thread_pool_executor.rb:335:in `block (2 levels) in create_worker'
/usr/local/bundle/gems/concurrent-ruby-1.1.8/lib/concurrent-ruby/concurrent/executor/ruby_thread_pool_executor.rb:334:in `catch'
/usr/local/bundle/gems/concurrent-ruby-1.1.8/lib/concurrent-ruby/concurrent/executor/ruby_thread_pool_executor.rb:334:in `block in create_worker'

When I check S3, the object is actually no longer there, so I'm not quite sure why it's failing here.当我检查 S3 时，object 实际上不再存在，所以我不太确定它为什么会在这里失败。 From my understanding, the reason it's failing is because it's not able to perform ListObjects;据我了解，它失败的原因是它无法执行 ListObjects； however, here's a copy of my S3 policy:但是，这是我的 S3 政策的副本：

    {
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-bucket-name/*"
      ],
      "Effect": "Allow"
    },

Shouldn't this mean I should be able to do whatever to this bucket?这不应该意味着我应该可以对这个桶做任何事情吗？

This issue seems similar to mine, but I am using a secret key and access key ID that is tied to this policy, which has permissions to do everything on S3 这个问题似乎与我的相似，但我使用的是与此策略相关联的密钥和访问密钥 ID，它有权在 S3 上执行所有操作

I have even tried to do a very basic task, such as just listing the objects, but that failed with an AccessDenied error as well:我什至尝试做一个非常基本的任务，比如只列出对象，但也失败了，并出现 AccessDenied 错误：

irb(main):029:0> credentials = Aws::Credentials.new(access_key, secret_access_key)
=> #<Aws::Credentials access_key_id="[obfuscated-for-stackoverflow]">
irb(main):030:0> s3 = Aws::S3::Resource.new(region: region, credentials: credentials)
=> #<Aws::S3::Resource:0x0000562375751798 @client=#<Aws::S3::Client>>
irb(main):031:0> bucket = s3.bucket(@bucket_name)
=> #<Aws::S3::Bucket:0x000056237544e140 @name="my-bucket-name", @data=nil, @client=#<Aws::S3::Client>, @waiter_block_warned=false, @resolved_region="us-east-1", @arn=nil>
irb(main):032:0> bucket.objects.first
[Aws::S3::Client 403 0.27261 0 retries] list_objects_v2(bucket:"my-bucket-name") Aws::S3::Errors::AccessDenied Access Denied

Traceback (most recent call last):
Aws::S3::Errors::AccessDenied (Access Denied)
irb(main):033:0>

(my-bucket-name is just obfuscated for this question) （my-bucket-name 只是对这个问题进行了混淆）

Answer 1

Shouldn't this mean I should be able to do whatever to this bucket?这不应该意味着我应该可以对这个桶做任何事情吗？

No it doesn't.不，它没有。 Your policy applies to only objects in the bucket , not the bucket itself, due to /* .由于/* ，您的策略仅适用于存储桶中的对象，而不适用于存储桶本身。 The /* refers to objects only. /*仅指对象。 To have the policy apply to bucket as well you need:要将策略也应用于存储桶，您需要：

    {
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-bucket-name",
        "arn:aws:s3:::my-bucket-name/*"
      ],
      "Effect": "Allow"
    }

The above policy allows for everything, so be careful how you use it.上述政策允许一切，所以要小心你如何使用它。

我有完整的 S3 权限，通过模拟器确认，但使用 AWS S3 SDK for Rails 拒绝访问

问题描述

1 个解决方案

解决方案1
1 已采纳 2021-03-23 22:54:29

我有完整的 S3 权限，通过模拟器确认，但使用 AWS S3 SDK for Rails 拒绝访问

问题描述

1 个解决方案

解决方案1 1 已采纳 2021-03-23 22:54:29

解决方案1
1 已采纳 2021-03-23 22:54:29