如何使用get_federation_token限制对S3资源的访问？

Question

我正在尝试使用联合令牌来管理对S3存储桶中文件夹的访问。 但是，在我的示例代码中，用户可以访问整个存储桶。 以下规范成功，但基于此文档，我希望它会失败： http : //blogs.aws.amazon.com/security/post/Tx1DM54S2Q7TC8U/Understanding-the-API-options-for-securely-delegating-access到您的AWS账户

describe "assumed credentials" do                                                                                  
  let(:policy) {                                                                                                   
    { 
      "Version": "2012-10-17",                                                                                     
      "Statement": [                                                                                               
         {
           "Effect":"Allow",
           "Action":"s3:ListBucket",
           "Resource":["arn:aws:s3:::bucket-name"],
           "Condition":{"StringLike":{"s3:prefix":"000/"}}
         }
      ]                                                                                                            
    }                                                                                                              

  }
  it "should allow upload with federation credentials" do
    client = Aws::STS::Client.new
    token = client.get_federation_token(                                                                           
      policy: policy.to_json,
      duration_seconds: 900,                                                                                       
      name: 'S3-User'                                                                                             
    )                                                                                                              

    s3 = Aws::S3::Resource.new(                                                                                    
      Aws::Credentials.new(
        token.credentials.access_key_id,
        token.credentials.secret_access_key,                                                                       
        token.credentials.session_token                                                                            
      )                                                                                                            
    )
    bucket = s3.bucket('bucket-name')
    obj = bucket.object('00a/temporary3')                                                                          
    obj.delete
    obj.put(body:'Hello World!')                                                                                   
    expect(obj.exists?).to be                                                                                      
  end                                                                                                              
end

我发现了许多无法访问资源的人提出的问题，但我似乎遇到了相反的问题。

谢谢

Answer 1

ruby gem不允许您从凭据创建资源。 您需要执行以下操作：

 client = Aws::STS::Client.new                                                                                  
 token = client.get_federation_token(                                                                           
          policy: policy.to_json,                                                                                      
          duration_seconds: 900,                                                                                       
          name: 'S3-User23'                                                                                            
        )                                                                                                              
        Aws.config.update(                                                                                             
          credentials: Aws::Credentials.new(                                                                           
            token.credentials.access_key_id,                                                                           
            token.credentials.secret_access_key,                                                                       
            token.credentials.session_token                                                                            
          )                                                                                                            

        )                                                                                                              

        s3 = Aws::S3::Resource.new(                                                                                    
          token.credentials                                                                                            
        )