[英]I need an Amazon S3 user with full access to a single bucket
我有一个用户 foo 具有以下权限(它不是任何组的成员):
{
"Statement": [
{
"Sid": "Stmt1308813201865",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bar"
}
]
}
然而,该用户似乎无法上传或做任何事情,直到我向经过身份验证的用户授予完全访问权限(这可能适用于任何人)。 这仍然不会让用户更改权限,因为boto在尝试执行key.set_acl('public-read')
时在上传后抛出错误。
理想情况下,该用户可以完全访问bar
存储桶,而没有其他权限,我做错了什么?
您需要向存储桶本身授予s3:ListBucket权限。 试试下面的政策。
{
"Statement": [
{
"Effect": "Allow",
"Action": "S3:*",
"Resource": "arn:aws:s3:::bar/*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bar",
"Condition": {}
}
]
}
选定的答案对我不起作用,但这个答案对我有用:
{
"Statement": [
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
],
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
}
信用: http : //mikeferrier.com/2011/10/27/granting-access-to-a-single-s3-bucket-using-amazon-iam/
您了解AWS 策略生成器吗?
在Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket中有官方AWS文档
只需复制并粘贴适当的规则,然后在所有语句中将“Resource”键更改为您的存储桶的 ARN。
对于程序化访问,策略应该是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::bar"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::bar/*"]
}
]
}
对于控制台访问权限应该是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::bar*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::bar"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::bar/*"]
}
]
}
这对我行得通:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Resource": "arn:aws:s3:::bucket_name_here"
},
{
"Effect": "Allow",
"Action": [
"s3:*Object*",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
],
"Resource": "arn:aws:s3:::bucket_name_here/*"
}
]
}
如果您因为无法弄清楚为什么 Cyberduck 无法设置对象 ACL 但它与另一个客户端(如 Panic Transmit)一起工作而一直在纠结,这里是解决方案:
您需要将s3:GetBucketAcl
添加到您的操作列表中,例如:
{
"Statement": [
{
"Sid": "Stmt1",
"Action": [
"s3:GetBucketAcl",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::your-bucket-name"
}
]
}
当然,如果您对s3:*
限制较少,则不需要这样做,但我认为了解这一点很好。
@cloudberryman 的回答是正确的,但我喜欢让事情尽可能简短。 这个答案可以简化为:
{
"Statement":[
{
"Effect":"Allow",
"Action":"S3:*",
"Resource":[
"arn:aws:s3:::bar",
"arn:aws:s3:::bar/*"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::YOUR-BUCKET",
"arn:aws:s3:::YOUR-BUCKET/*"
]
}
]
}
我有一个具有以下特权的用户foo(它不是任何组的成员):
{
"Statement": [
{
"Sid": "Stmt1308813201865",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bar"
}
]
}
但是,在我向身份验证的用户授予完全访问权限(可能适用于任何人)之前,该用户似乎无法上传或执行任何操作。 这仍然不允许用户更改权限,因为boto在尝试执行key.set_acl('public-read')
时在上传后抛出错误。
理想情况下,该用户可以完全访问bar
桶,而没有别的,我在做什么错?
我最近能够让它工作的另一种方法是使用亚马逊的文档。 对我来说,关键是将 IAM 用户指向特定的存储桶,而不是 S3 控制台。 根据文档“警告:更改这些权限后,用户在访问 Amazon S3 主控制台时会收到拒绝访问错误。主控制台链接类似于以下内容:
https://s3.console.aws.amazon.com/s3/home
相反,用户必须使用指向存储桶的直接控制台链接访问存储桶,类似于以下内容:
https://s3.console.aws.amazon.com/s3/buckets/awsexamplebucket/ "
我的政策如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1589486662000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::AWSEXAMPLEBUCKET",
"arn:aws:s3:::AWSEXAMPLEBUCKET/*"
]
}
]
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.