堆栈内存溢出
  简体   繁体   English

使用boto库,我可以避免在S3中对基本存储桶授予列表权限吗?

[英]With the boto library, can I avoid granting list permissions on a base bucket in S3?

 原文  2012-07-13 21:40:50       python/ amazon-s3/ amazon-web-services/ boto

问题描述

I currently have an IAM role that has a policy like so: 我目前有一个IAM角色,其策略如下: 

{
  "Version":"2008-10-17",
  "Statement": [
  {
    "Effect":"Allow",
    "Action":["s3:ListBucket"],
    "Resource":[
      "arn:aws:s3:::blah.example.com"
    ]
  },
  {
    "Effect":"Allow",
    "Action":["s3:GetObject", "s3:GetObjectAcl", "s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl", "s3:DeleteObject"],
    "Resource":[
      "arn:aws:s3:::blah.example.com/prefix/"
    ]
  }
  ]
}

Boto seems to require the ListBucket permission be present on the root of the bucket to do the get_bucket call. Boto似乎要求在桶的根目录上存在ListBucket权限才能执行get_bucket调用。 If I remove the first hash in the Statement array, get_bucket('blah.example.com') will fail. 如果我删除Statement数组中的第一个哈希,get_bucket('blah.example.com')将失败。 Here's the error text: 这是错误文本: 

*** S3ResponseError: S3ResponseError: 403 Forbidden
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>xxxx</RequestId><HostId>yyyy</HostId></Error>

Is there any way to restrict listing of the bucket to a certain prefix (eg "prefix/") while still using boto? 有没有办法在仍然使用boto的情况下将存储桶的列表限制为某个前缀(例如“prefix /”)?

UPDATE UPDATE

In order to get everything working, I used the following policy: 为了使一切正常,我使用了以下策略: 

{
  "Version":"2008-10-17",
  "Statement": [
  {
    "Effect":"Allow",
    "Action":["s3:ListBucket"],
    "Resource":[
      "arn:aws:s3:::blah.example.com"
    ],
    "Condition":{
      "StringLike":{
         "s3:prefix":"prefix/*"
      }
    }
  },
  {
    "Effect":"Allow",
    "Action":["s3:GetObject", "s3:GetObjectAcl", "s3:PutObject", "s3:PutObjectAcl", "s3:DeleteObject"],
    "Resource":[
      "arn:aws:s3:::blah.example.com/prefix/*"
    ]
  }
  ]
}

You still have to use the validate=False parameter to the get_bucket method, but it allows listing within the prefix. 您仍然必须对get_bucket方法使用validate=False参数,但它允许在前缀中列出。

1 个解决方案

解决方案1
 5  2012-07-13 21:47:01

By default boto tries to validate the existence of a bucket by doing a LIST operation on the bucket, asking for zero results. 默认情况下,boto尝试通过对存储桶执行LIST操作来验证存在桶,请求零结果。 If you would prefer that it skip this validation step, just call it like this: 如果您希望它跳过此验证步骤,只需将其调用如下: 

>>> import boto
>>> s3 = boto.connect_s3()
>>> bucket = s3.get_bucket('mybucket', validate=False)

This should skip the LIST operation. 这应该跳过LIST操作。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何以boto编程方式检查Amazon S3权限? - How can I programmatically check Amazon S3 permissions with boto? 当我无权列出S3存储桶的文件夹时,使用boto将文件上传到S3子文件夹 - Using boto Upload file to S3 sub folder when I have no permissions on listing folders of S3 bucket S3 boto库:如何对存储桶中的Key进行HEAD请求 - S3 boto library: How to do a HEAD request on the Key in the bucket 将文件从 databricks dbfs / local 上传到 S3 存储桶。 如何使用 boto3 库或挂载 s3 将文件从 databricks 上传到 S3 存储桶? - Uploading a file from databricks dbfs / local to an S3 bucket. How do i upload a file from databricks to S3 bucket using boto3 library or mounting s3? 使用 Python 和 Boto3 列出 S3 存储桶的目录内容? - List directory contents of an S3 bucket using Python and Boto3? 如何轻松确定Boto 3 S3存储桶资源是否存在? - How can I easily determine if a Boto 3 S3 bucket resource exists? 如何使用 boto3 将 Github 上的文件上传到 AWS S3 存储桶? - How can I upload the files on Github to AWS S3 bucket using boto3? 如何检查 S3 存储桶中的对象在 boto3 中是否公开? - How can I check if an object in an S3 bucket is public or not in boto3? 如何使用 boto3 为 IAM 用户授予对 S3 存储桶的完全权限? - How to grant full permissions on an S3 bucket for an IAM user using boto3? 在S3上使用boto库 - Using boto library on S3
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM