I am trying to use put-bucket-policy to add a policy to an s3 bucket via the aws s3api (Windows).
I am using precisely the policy code given here http://docs.aws.amazon.com/AmazonS3/latest/dev/AccessPolicyLanguage_UseCases_s3_a.html under "Granting Permission to an Anonymous User" with my bucket name substituted in.
I am getting
A client error (MalformedPolicy) occured: policies must be valid JSON and the first byte must be '{'
Any clues?
EDIT: Inlining the JSON works- so it is some kind of file format issue - just not one that I can see. Be great to be able to get it working with files.
EDIT: To help anyone else who maybe ends up here, buckets should be named all in lowercase. If not, some s3/s3api operations work, but not others. See here
You must add file://
protocol scheme to the policy file path
$ aws s3api put-bucket-policy --bucket kryptonite \
--policy file:///home/superman/aws-example/public-bucket-policy.json
$ aws s3api put-bucket-policy --bucket kryptonite \\ --policy file://C:\\Temp\\public-bucket-policy.json
$ aws s3api put-bucket-policy --bucket kryptonite \\ --policy file://public-bucket-policy.json
First let's make sure there's no other policy on the bucket:
$ ls
public-bucket-policy.json
$ cat public-bucket-policy.json
{
"Statement": [
{
"Resource": "arn:aws:s3:::kryptonite/*",
"Action": "s3:GetObject",
"Principal": "*",
"Effect": "Allow",
"Sid": "AddPerm"
}
],
"Version": "2012-10-17"
}
Now let's make sure we have policy file in current directory and it contains valid json (mind name of the kryptonite
bucket
$ ls public-bucket-policy.json $ cat public-bucket-policy.json { "Statement": [ { "Resource": "arn:aws:s3:::kryptonite/*", "Action": "s3:GetObject", "Principal": "*", "Effect": "Allow", "Sid": "AddPerm" } ], "Version": "2012-10-17" }
Now let's try to put the policy by specifying just filename
$ s3api put-bucket-policy --bucket kryptonite --policy public-bucket-policy.json A client error (MalformedPolicy) occurred when calling the PutBucketPolicy operation: Policies must be valid JSON and the first byte must be '{'
Now let's make another attempt and specify the full path $ s3api put-bucket-policy --bucket kryptonite \\ --policy /home/superman/aws-example/public-bucket-policy.json
$ s3api put-bucket-policy --bucket kryptonite \
--policy file:///home/superman/aws-example/public-bucket-policy.json
Now let's add file://
prefix and it will work
$ s3api put-bucket-policy --bucket kryptonite \\ --policy file:///home/superman/aws-example/public-bucket-policy.json
And we can now verify that this policy had been applied
$ s3api get-bucket-policy --bucket kryptonite { "Policy": "{\\"Version\\":\\"2012-10-17\\",\\"Statement\\":[{\\"Sid\\":\\"AddPerm\\",\\"Effect\\":\\"Allow\\",\\"Principal\\":\\"*\\",\\"Action\\":\\"s3:GetObject\\",\\"Resource\\":\\"arn:aws:s3:::kryptonite/*\\"}]}" }
And as special bonus let's pipe the policy through the jq
utility (twice) to extract correct field and format JSON nicely
$ s3api get-bucket-policy --bucket kryptonite | jq .Policy --raw-output | jq . { "Statement": [ { "Resource": "arn:aws:s3:::kryptonite/*", "Action": "s3:GetObject", "Principal": "*", "Effect": "Allow", "Sid": "AddPerm" } ], "Version": "2012-10-17" }
I have gone with inling the JSON.
Couple of maybe useful hints for those that end up here.
Bucket names: Buckets should be named all in lowercase. If not, some s3/s3api operations work ( mb , put-bucket-policy ), but not others (put-bucket-website ) See http://support.rightscale.com/09-Clouds/AWS/FAQs/FAQ_0094_-_What_are_valid_S3_bucket_names%3F
If, like me, you start by using get-bucket-website on a bucket created through the S3 console to get example JSON for making a bucket a website, it may not work. get-bucket-website gives you back blank entries for any unset parameters (eg RedirectAllRequestsTo ) - which gives errors if used in put-bucket-website ... Just miss parameters out if you don't need them and that works - eg
{"IndexDocument":{"Suffix":"index.html"}}
is the minimum. (remember to escape the quotes if inlining!)
对于“完整内联”语法,请使用:
aws s3api put-bucket-policy --bucket MYBUCKETNAME --policy "{\"Version\":\"2008-10-17\", \"Statement\":[{\"Sid\":\"AllowPublicRead\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::MYBUCKETNAME/*\"}]}"
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.