[英]With the boto library, can I avoid granting list permissions on a base bucket in S3?
I currently have an IAM role that has a policy like so: 我目前有一个IAM角色,其策略如下:
{
"Version":"2008-10-17",
"Statement": [
{
"Effect":"Allow",
"Action":["s3:ListBucket"],
"Resource":[
"arn:aws:s3:::blah.example.com"
]
},
{
"Effect":"Allow",
"Action":["s3:GetObject", "s3:GetObjectAcl", "s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl", "s3:DeleteObject"],
"Resource":[
"arn:aws:s3:::blah.example.com/prefix/"
]
}
]
}
Boto seems to require the ListBucket permission be present on the root of the bucket to do the get_bucket call. Boto似乎要求在桶的根目录上存在ListBucket权限才能执行get_bucket调用。 If I remove the first hash in the Statement array, get_bucket('blah.example.com') will fail.
如果我删除Statement数组中的第一个哈希,get_bucket('blah.example.com')将失败。 Here's the error text:
这是错误文本:
*** S3ResponseError: S3ResponseError: 403 Forbidden <?xml version="1.0" encoding="UTF-8"?> <Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>xxxx</RequestId><HostId>yyyy</HostId></Error>
Is there any way to restrict listing of the bucket to a certain prefix (eg "prefix/") while still using boto? 有没有办法在仍然使用boto的情况下将存储桶的列表限制为某个前缀(例如“prefix /”)?
UPDATE UPDATE
In order to get everything working, I used the following policy: 为了使一切正常,我使用了以下策略:
{
"Version":"2008-10-17",
"Statement": [
{
"Effect":"Allow",
"Action":["s3:ListBucket"],
"Resource":[
"arn:aws:s3:::blah.example.com"
],
"Condition":{
"StringLike":{
"s3:prefix":"prefix/*"
}
}
},
{
"Effect":"Allow",
"Action":["s3:GetObject", "s3:GetObjectAcl", "s3:PutObject", "s3:PutObjectAcl", "s3:DeleteObject"],
"Resource":[
"arn:aws:s3:::blah.example.com/prefix/*"
]
}
]
}
You still have to use the validate=False
parameter to the get_bucket
method, but it allows listing within the prefix. 您仍然必须对
get_bucket
方法使用validate=False
参数,但它允许在前缀中列出。
By default boto tries to validate the existence of a bucket by doing a LIST operation on the bucket, asking for zero results. 默认情况下,boto尝试通过对存储桶执行LIST操作来验证存在桶,请求零结果。 If you would prefer that it skip this validation step, just call it like this:
如果您希望它跳过此验证步骤,只需将其调用如下:
>>> import boto
>>> s3 = boto.connect_s3()
>>> bucket = s3.get_bucket('mybucket', validate=False)
This should skip the LIST operation. 这应该跳过LIST操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.