stackoom
  简体   繁体   中英

How do i list only accessible S3 bucket objects for a user, instead of explicitly asking for certain 'prefix'?

 原文  2017-10-05 07:24:42       amazon-web-services/ amazon-s3/ amazon-policy/ aws-resource-group

Question

This is how we make, S3 Bucket object listing request.

final ListObjectsV2Request req = new ListObjectsV2Request().withBucketName(bucketName)

Suppose we have attached the inline policy to the user, who is requesting the resource,

{
         "Sid": "AllowRootAndHomeListingOfBucket",
         "Action": [
             "s3:ListBucket"
         ],
         "Effect": "Allow",
         "Resource": [
             "arn:aws:s3:::XXXX.XXXX",
             "arn:aws:s3:::XXXX.XXXXX/php_serialize.rb"
         ]
     },
     {
         "Sid": "AllowAllS3ActionsInUserFolder",
         "Effect": "Allow",
         "Action": [
             "s3:*"
         ],
         "Resource": [
             "arn:aws:s3:::XXXX.XXXX/php_serialize.rb"
         ]
     }

Effect of this policy is that, it lets the user to list all the root level objects including the resource to which user is given the permission.

do {               
           result = s3client.listObjectsV2(req);

     for (S3ObjectSummary objectSummary : result.getObjectSummaries())      {

           }
           System.out.println("Next Continuation Token : " + result.getNextContinuationToken());
           req.setContinuationToken(result.getNextContinuationToken());
        } while(result.isTruncated() == true );

Result of this is:

text.rb
test/abc
php_serialize.rb
xyx/test.txt

I just want the php_serialize.rb , to get listed. If the requesting user doesn't know about the prefix, to which he is given the permissions.

Following Request, will not work in this case.

 final ListObjectsV2Request req = new ListObjectsV2Request().withBucketName(bucketName).withPrefix("php_serialize.rb");

1 answers

solution1
 0 ACCPTED  2017-10-05 22:27:29

It isn't possible to ask S3 for a list of objects a specific user would be able to access.

That would require evaluating all of the user's permissions against (potentially) every single object in the bucket, which would be computationally intensive at best and impossible at worst, depending on the specific policy constraints in effect against that user and properties that could be specific to the request that the user makes.

The service does not support such a query.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Items in my S3 bucket are publicly accessible. How do I restrict access so that the S3 Bucket link is only accessible from within my app? S3 performance for LIST by prefix with millions of objects in a single bucket How could I list all objects under a prefix in S3 How do I only allow authenticated user (using cognito) access to their own S3 bucket/key specifically? s3 bucket public access to only certain objects AWS S3 Policy to Restrict User to List Only Certain Folders in a Bucket How to loop through an S3 bucket to copy certain list of folders from S3 bucket to local server AWS S3 Listing API - How to list everything inside S3 Bucket with specific prefix How to list files which has certain tag in S3 bucket? Do I need to enable Public Access when only 1 IAM user can access S3 Bucket?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM