AWS S3 ACL Policy Condition
Question
I'm trying to set up my role policy for S3. What I'm trying to do is allow users to get out any images that contain "public" in their name. The problem is that I've seem to of gotten the correct policy (it succeeds in the policy simulator) but when I'm running it in my app it doesn't seem to be working properly.
Here is my policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "mobileanalytics:PutEvents", "cognito-sync:*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::*" ], "Condition": { "StringLike": { "s3:prefix": "*public*" } } } ] }
I am setting the s3:prefix as user1/image1-public . Like I mentioned before, on the policy simulator, it allows all "Get" and "List" commands (just like it should).
The problem is when I'm downloading an example image from the database using the transfer manager in the iOS app, I get the following error:
2015-10-07 14:22:01.716 SimpleAuth[71584:8584520] Error: Error Domain=com.amazonaws.AWSS3ErrorDomain Code=1 "The operation couldn't be completed. (com.amazonaws.AWSS3ErrorDomain error 1.)" UserInfo=0x7fcbf2d8c560 {HostId=ke/f5x+DKCnjuzlbH5XBWCQfawbkUIRWWhPcY9LdqjPqP5kUyq0rzIjkqeL+8Bm/fvr/l24Wm94=, Message=Access Denied, Code=AccessDenied, RequestId=180803E4DDD0BB73}
The code that I have in the Xcode project is
AWSS3TransferManagerDownloadRequest *downloadRequest = [AWSS3TransferManagerDownloadRequest new];
downloadRequest.bucket = @"test";
downloadRequest.key = @"user1/image1-public";
downloadRequest.downloadingFileURL = downloadingFileURL;
// Download the file.
[[transferManager download:downloadRequest] continueWithExecutor:[AWSExecutor mainThreadExecutor]
withBlock:^id(AWSTask *task)
{
if (task.error){
if ([task.error.domain isEqualToString:AWSS3TransferManagerErrorDomain]) {
switch (task.error.code) {
case AWSS3TransferManagerErrorCancelled:
case AWSS3TransferManagerErrorPaused:
break;
default:
NSLog(@"Error: %@", task.error);
break;
}
} else {
// Unknown error.
NSLog(@"Error: %@", task.error);
}
}
if (task.result)
{
AWSS3TransferManagerDownloadOutput *downloadOutput = task.result;
//File downloaded successfully.
NSLog(@"Now go to the next screen");
[self performSegueWithIdentifier:@"LoginSuccessSegue" sender:self];
}
return nil;
}];
Any help would be greatly appreciated. I've never been able to get a "Condition" to work on an ACL.
1 answers
solution1
0 ACCPTED 2015-10-07 21:23:01
"s3:prefix": "*public*" will essentially never match anything meaningful.
It specifies a prefix -- not a wildcard match.
To match the image object at /user-1/image/public/kitten.jpg and everything else at the same level of structure, the policy condition would need to be "s3:prefix": "user-1/image/public/"
For a policy like this to work, the "public" needs to be at the far left of the path -- the prefix.
The documentation is unclear, but it is possible that instead of a condition, you could use a wildcard in the resource. It says, simply, "You can use wild card." . If true, then perhaps something along these lines:
"Resource": [
"arn:aws:s3:::example-bucket/*/public/*"
],
If not, you're limited to prefixes again, which would be what I suspect may be the case.
I would have thought, though, that there would have been a warning from the policy simulator, something like this, to let you know that the policy simulator does not thoroughly evaluate all aspects of the policy, for some services:
This action belongs to a service that supports access control mechanisms attached to resources. 该操作属于支持附加到资源的访问控制机制的服务。 The simulator does not model these mechanisms, so results may differ in your production environment. ”
http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.