AmazonS3Exception：访问被拒绝

Question

我试图连接到s3存储桶以上传/下载图像。

我创建s3客户端的代码如下：

AmazonS3 s3 = AmazonS3ClientBuilder
            .standard()
            .withRegion("EU-WEST-2")
            .build();

我得到如下异常：

com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 8574612863BD8DC2; S3 Extended Request ID: ueyZy/RLMerNtHeYaOTlRVAqD7w1CksWrjfNLuMgxPWXQbNGDF1Y04RUs4Gh9HeHMwLXxjBc+5o=), S3 Extended Request ID: ueyZy/RLMerNtHeYaOTlRVAqD7w1CksWrjfNLuMgxPWXQbNGDF1Y04RUs4Gh9HeHMwLXxjBc+5o=
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1630)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1302)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1056)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:743)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:717)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649)
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513)
    at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4330)
    at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4277)
    at com.amazonaws.services.s3.AmazonS3Client.getObject(AmazonS3Client.java:1410)
    at uk.nhs.digital.cid.pyi.services.paycasso.PaycassoService.registerDocument(PaycassoService.java:80)
    at uk.nhs.digital.cid.pyi.harness.PaycassoClientTestHarness.testVeriSure(PaycassoClientTestHarness.java:61)
    at uk.nhs.digital.cid.pyi.harness.PaycassoClientTestHarness.main(PaycassoClientTestHarness.java:36)

Answer 1

尝试此操作，您需要根据访问密钥和机密更改env.getProperty（“ amazon.accessKey”）。

public AmazonS3 getAmazonS3Client() {

        ClientConfiguration clientConfig = new ClientConfiguration();
        clientConfig.setProtocol(Protocol.HTTP);
        AmazonS3 s3client = new AmazonS3Client(getAmazonCredentials(), clientConfig);
        s3client.setS3ClientOptions(S3ClientOptions
                .builder()
                .setPathStyleAccess(true)
                .disableChunkedEncoding().build());

        return s3client;
    }

    public AWSCredentials getAmazonCredentials() {
        AWSCredentials credentials = new BasicAWSCredentials(
                env.getProperty("amazon.accessKey"),
                env.getProperty("amazon.secretKey")
        );
        return credentials;
    }

要检查存储桶是否存在并上传文件，请选中此选项。

AmazonS3 s3client = amazonS3ClientService.getAmazonS3Client();
    if (!s3client.doesBucketExistV2(env.getProperty("amazon.bucket"))) {
        System.out.println("Bucket is not Exist.");
        return RepeatStatus.FINISHED;
    }

    // Upload Dir
    TransferManager transferManager = new TransferManager(amazonS3ClientService.getAmazonCredentials());
    MultipleFileUpload upload =
            transferManager.uploadDirectory(env.getProperty("amazon.bucket"), file.getName(), file,true);

如果您要上传单个文件，请尝试此操作，

 s3client .putObject(bucket_name, key_name, new File(file_path));

Answer 2

你有两个问题。

1. 您正在使用该区域的字符串。 您需要使用.withRegion(Regions.EU_WEST_2) 。
2. 从您对问题的评论中，我知道您没有使用凭据。 即使您的存储桶是公共的，您也必须使用AWS凭证才能使用AWS API。 不支持匿名凭证。

如果要使用匿名凭据（这意味着没有凭据），请使用普通的HTTP URL： https://s3.amazonaws.com/bucket/object : HttpUrlConnection以及HttpUrlConnection的库。

在某些情况下，仅当区域不在Regions枚举中时，才允许将字符串用于.withRegion() 。

Answer 3

我也尝试过

`AWSCredentials credentials;
    try {
        credentials = new ProfileCredentialsProvider().getCredentials();
    } catch (Exception e) {
        throw new AmazonClientException("Cannot load the credentials from the credential profiles file. "
                + "Please make sure that your correct credentials file is at the correct "
                + "location (/Users/userid/.aws/credentials), and is in valid format.", e);
    }
    AWSSecurityTokenServiceClient stsClient = new AWSSecurityTokenServiceClient(credentials);

    AssumeRoleRequest assumeRequest = new AssumeRoleRequest().withRoleArn(ROLE_ARN).withDurationSeconds(3600)
            .withRoleSessionName("demo");

    AssumeRoleResult assumeResult = stsClient.assumeRole(assumeRequest);

    BasicSessionCredentials temporaryCredentials = new BasicSessionCredentials(
            assumeResult.getCredentials().getAccessKeyId(), assumeResult.getCredentials().getSecretAccessKey(),
            assumeResult.getCredentials().getSessionToken());

s3Client = new AmazonS3Client(temporaryCredentials).withRegion(Regions.EU_WEST_2 ）`

Answer 4

为您的IAM角色提供可编程访问权限，还可以在存储桶策略中提供写权限

   {
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"mybucketpolicy",
      "Effect":"Allow",
      "Principal": {"Service": "s3.amazonaws.com"},
      "Action":["s3:PutObject"],
      "Resource":["arn:aws:s3:::destination-bucket/*"],
      "Condition": {
          "ArnLike": {
              "aws:SourceArn": "arn:aws:s3:::source-bucket"
           },
         "StringEquals": {
             "aws:SourceAccount": "accid",
             "s3:x-amz-acl": "bucket-owner-full-control"
          }
       }
    }
  ]
}