![](/img/trans.png)
[英]S3 Bucket Policy - use “Any Authenticated User” or bucket policy?
[英]How can I set a policy for an s3 bucket that allows authenticated users to list the bucket or get any file from the bucket
我在存儲桶上設置了一個權限,允許“經過身份驗證的用戶”從我創建的存儲桶中列出、上傳和刪除。 這似乎允許我將文件上傳到存儲桶,但似乎從存儲桶下載文件不在此權限范圍內,我需要為存儲桶定義一個策略。 我不清楚如何制定這樣的政策。 我用我最好的猜測嘗試了策略生成器,我應該填寫什么,但是當我將它作為存儲桶的新策略粘貼時,結果不是一個有效的策略(它失敗並顯示消息Action does not apply to any resource(s) in statement - Action "s3:ListBucket" in Statement "Stmt-some-number"
)。 有人可以解釋以下策略有什么問題以及如何正確設置它以允許經過身份驗證的用戶從存儲桶中檢索文件嗎?
{
"Id": "Policy-some-number",
"Statement": [
{
"Sid": "Stmt-some-number",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
s3:GetObject
適用於存儲桶中的對象,因此 Resource 是正確的: "Resource": "arn:aws:s3:::my-bucket/*"
。
s3:ListBucket
適用於 Bucket 本身,因此 Resource 應該是"Resource": "arn:aws:s3:::my-bucket"
您產生的政策應該類似於:
{
"Id": "Policy-some-number",
"Statement": [
{
"Sid": "Stmt-some-number",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "Stmt-some-other-number",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
只是為了贊美@c4urself 的回答。 答案也有助於解決我的問題,但 AWS 文檔中有一些指示,您可以添加多個資源,只需使用 [] 將它們作為列表。 http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html#vpc-endpoints-s3-bucket-policies
{
"Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"]
}
]
}
只需創建資源和資源數組/列表,並使用 /* 添加一個項目到列表中,因為 s3:GetObject 適用於 arn:aws:s3:::my_secure_bucket/*。 見下文
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"
{
"Version": "2012-10-17",
"Id": "Policy1546023103427",
"Statement": [
{
"Sid": "Stmt1546023101836",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::usagereports-atul",
"arn:aws:s3:::usagereports-atul/*"
]
}
]
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.