AWS S3 ListMultipartUploads：訪問被拒絕

Question

我已經關注此博客 ，以便使用Web Identity Federation設置我的AWS IAM和S3帳戶。 我能夠驗證和接收會話憑證和令牌都很好。 我也可以下載和上傳對象。 但是，我得到了：

拒絕訪問

在以下ListMultipartUploads請求中：

var request = new ListMultipartUploadsRequest()
{
    BucketName = bucketName,
    Prefix = $"{UserId}/"
};

var response = await s3Client.ListMultipartUploadsAsync(request);

附加到我的IAM角色的訪問策略是：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::mybucket/${myidentityprovider:userId}/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": "${myidentityprovider:userId}/"
                }
            }
        }
    ]
}

如您所見，我擁有“s3：ListBucketMultipartUploads”權限，因此用戶應該能夠在其存儲桶上執行ListMultiPartUploads。 我究竟做錯了什么？

Answer 1

我在你的前綴語句中看到一個錯誤，

它需要是一個數組，

“s3：prefix”：[“$ {myidentityprovider：userId} / *”]

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:AbortMultipartUpload",
            "s3:DeleteObject",
            "s3:GetObject",
            "s3:PutObject"
        ],
        "Resource": "arn:aws:s3:::mybucket/${myidentityprovider:userId}/*"
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:ListBucket",
            "s3:ListBucketMultipartUploads"
        ],
        "Resource": [
            "arn:aws:s3:::mybucket"
        ],
        "Condition": {
            "StringLike": {
                "s3:prefix": ["${myidentityprovider:userId}/*"]
            }
        }
    }
]}