堆栈内存溢出
  简体   繁体   English

我需要一个对单个存储桶具有完全访问权限的 Amazon S3 用户

[英]I need an Amazon S3 user with full access to a single bucket

 原文  2011-11-20 18:16:36       amazon-s3/ amazon-web-services/ user-permissions/ amazon-iam

问题描述

I have a user foo with the following privileges (it's not a member of any group):我有一个用户 foo 具有以下权限(它不是任何组的成员):

{
  "Statement": [
    {
      "Sid": "Stmt1308813201865",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bar"
    }
  ]
}

That user however seem unable to upload or do much of anything until I grant full access to authenticated users (which might apply to anyone).然而,该用户似乎无法上传或做任何事情,直到我向经过身份验证的用户授予完全访问权限(这可能适用于任何人)。 This still doesn't let the user change permission as boto is throwing an error after an upload when it tries to do do key.set_acl('public-read') .这仍然不会让用户更改权限,因为boto在尝试执行key.set_acl('public-read')时在上传后抛出错误。

Ideally this user would have full access to the bar bucket and nothing else, what am I doing wrong?理想情况下,该用户可以完全访问bar存储桶,而没有其他权限,我做错了什么?

9 个解决方案

解决方案1
 44 已采纳  2011-11-21 14:55:41

You need to grant s3:ListBucket permission to the bucket itself.您需要向存储桶本身授予s3:ListBucket权限。 Try the policy below.试试下面的政策。

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "S3:*",
      "Resource": "arn:aws:s3:::bar/*",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::bar",
      "Condition": {}
    }
  ]
}

解决方案2
 21  2012-11-21 16:25:56

The selected answer didn't work for me, but this one did:选定的答案对我不起作用,但这个答案对我有用:

{
  "Statement": [
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    }
  ],
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

Credit: http://mikeferrier.com/2011/10/27/granting-access-to-a-single-s3-bucket-using-amazon-iam/信用: http : //mikeferrier.com/2011/10/27/granting-access-to-a-single-s3-bucket-using-amazon-iam/

解决方案3
 9  2012-10-05 09:23:55

您了解AWS 策略生成器吗?

解决方案4
 2  2017-06-21 14:21:59

There is an official AWS documentation at Writing IAM Policies: How to Grant Access to an Amazon S3 BucketWriting IAM Policies: How to Grant Access to an Amazon S3 Bucket中有官方AWS文档

Just copy and paste the appropriate rule and change the "Resource" key to your bucket's ARN in all Statements.只需复制并粘贴适当的规则,然后在所有语句中将“Resource”键更改为您的存储桶的 ARN。

For programamtic access the policy should be:对于程序化访问,策略应该是:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["s3:ListBucket"],
            "Resource": ["arn:aws:s3:::bar"]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:DeleteObject"
            ],
            "Resource": ["arn:aws:s3:::bar/*"]
        }
    ]
}

And for console access access should be:对于控制台访问权限应该是:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "arn:aws:s3:::bar*"
        },
        {
            "Effect": "Allow",
            "Action": ["s3:ListBucket"],
            "Resource": ["arn:aws:s3:::bar"]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:DeleteObject"
            ],
            "Resource": ["arn:aws:s3:::bar/*"]
        }
    ]
}

解决方案5
 0  2015-01-25 14:26:38

That works for me:这对我行得通:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:ListBucketMultipartUploads",
                "s3:ListBucketVersions"
            ],
            "Resource": "arn:aws:s3:::bucket_name_here"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*Object*",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload"
            ],
            "Resource": "arn:aws:s3:::bucket_name_here/*"
        }
    ]
}

解决方案6
 0  2015-11-23 11:31:05

If you've been pulling your hair out because you cannot figure out why Cyberduck is not being able to set object ACLs but it works with another client (like Panic Transmit) here is the solution:如果您因为无法弄清楚为什么 Cyber​​duck 无法设置对象 ACL 但它与另一个客户端(如 Panic Transmit)一起工作而一直在纠结,这里是解决方案:

You need to add s3:GetBucketAcl to your Action list, eg:您需要将s3:GetBucketAcl添加到您的操作列表中,例如:

{
    "Statement": [
        {
            "Sid": "Stmt1",
            "Action": [
                "s3:GetBucketAcl",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::your-bucket-name"
        }
    ]
}

Of course you don't need to do this if you are less restrictive with s3:* but I think this is good to know.当然,如果您对s3:*限制较少,则不需要这样做,但我认为了解这一点很好。

解决方案7
 0  2017-11-02 15:22:43

@cloudberryman's answer is correct but I like to make things as short as possible. @cloudberryman 的回答是正确的,但我喜欢让事情尽可能简短。 This answer can be reduced to:这个答案可以简化为:

{  
   "Statement":[  
      {  
         "Effect":"Allow",
         "Action":"S3:*",
         "Resource":[  
            "arn:aws:s3:::bar",
            "arn:aws:s3:::bar/*"
         ]
      }
   ]
}

解决方案8
 0  2019-06-21 07:20:20

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                        "s3:GetBucketLocation",
                        "s3:ListAllMyBuckets"
                      ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::YOUR-BUCKET",
                "arn:aws:s3:::YOUR-BUCKET/*"
            ]
        }
    ]
}

解决方案9
 0  2019-11-08 05:05:21

I have a user foo with the following privileges (it's not a member of any group):我有一个具有以下特权的用户foo(它不是任何组的成员):

{
  "Statement": [
    {
      "Sid": "Stmt1308813201865",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bar"
    }
  ]
}

That user however seem unable to upload or do much of anything until I grant full access to authenticated users (which might apply to anyone).但是,在我向身份验证的用户授予完全访问权限(可能适用于任何人)之前,该用户似乎无法上传或执行任何操作。 This still doesn't let the user change permission as boto is throwing an error after an upload when it tries to do do key.set_acl('public-read') .这仍然不允许用户更改权限,因为boto在尝试执行key.set_acl('public-read')时在上传后抛出错误。

Ideally this user would have full access to the bar bucket and nothing else, what am I doing wrong?理想情况下,该用户可以完全访问bar桶,而没有别的,我在做什么错?

解决方案10
 0  2020-05-15 14:25:49

Another way I was recently able to get this to work was using Amazon's documentation .我最近能够让它工作的另一种方法是使用亚马逊的文档 The key for me was to point the IAM User to the specific bucket NOT the S3 console .对我来说,关键是将 IAM 用户指向特定的存储桶,而不是 S3 控制台 Per the documentation, "Warning: After you change these permissions, the user gets an Access Denied error when they access the main Amazon S3 console. The main console link is similar to the following:根据文档“警告:更改这些权限后,用户在访问 Amazon S3 主控制台时会收到拒绝访问错误。主控制台链接类似于以下内容:

https://s3.console.aws.amazon.com/s3/home https://s3.console.aws.amazon.com/s3/home

Instead, the user must access the bucket using a direct console link to the bucket, similar to the following:相反,用户必须使用指向存储桶的直接控制台链接访问存储桶,类似于以下内容:

https://s3.console.aws.amazon.com/s3/buckets/awsexamplebucket/ " https://s3.console.aws.amazon.com/s3/buckets/awsexamplebucket/ "

My policy is below:我的政策如下:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Stmt1589486662000",
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::AWSEXAMPLEBUCKET",
            "arn:aws:s3:::AWSEXAMPLEBUCKET/*"
        ]
    }
]
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用Amazon IAM限制用户访问Single S3存储桶? - Restrict user access to Single S3 Bucket using Amazon IAM? Amazon S3 IAM用户无法访问S3存储桶 - Amazon S3 IAM User can' access S3 bucket ELI5:如何授予单个用户对S3存储桶的完全访问权限? - ELI5: How to grant a single user full access to an S3 bucket? 仅向一位 IAM 用户授予对 Amazon S3 存储桶的访问权限 - Grant access to Amazon S3 bucket only to one IAM User 只有1个IAM用户可以访问S3存储桶时,是否需要启用“公共访问”? - Do I need to enable Public Access when only 1 IAM user can access S3 Bucket? 允许IAM用户访问单个s3存储桶 - Allow IAM user to access single s3 bucket 创建单个 IAM 用户以仅访问特定的 S3 存储桶 - Create a single IAM user to access only specific S3 bucket Amazon S3存储桶对象访问 - Amazon S3 bucket objects access Amazon S3-访问私有存储桶 - Amazon S3 - Access to Private Bucket 使用Rstudio的Amazon S3存储桶访问 - amazon S3 bucket access with Rstudio
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM