無法授予 Cognito 用戶對特定 S3 存儲桶的訪問權限
[英]Not able to give a Cognito User access on a certain S3 bucket
問題描述
我有一個用戶池和一個身份池,我在身份池中為身份驗證用戶提供的角色具有以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutBucketPolicy",
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::testbucket123",
"arn:aws:s3:::testbucket456",
"arn:aws:s3:::testbucket987"
]
}
]
}
我使用 Web Identity 創建了一個名為Role_testbucket456_User_X的新角色,並添加了一個條件,其中cognito-identity.amazonaws.com:sub是 stringEquals to 8e23d688-1f28-445c-8966-fdcb967c8e3c ,並附加了以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::testbucket456"
}
]
}
然后我將具有子8e23d688-1f28-445c-8966-fdcb967c8e3c的 Cognito 用戶 Y 添加到名為testbucket456_Users的 Cognito 用戶池組
然后將角色Role_testbucket456_User_X附加到這個組testbucket456_Users
我期望的是,除了具有子8e23d688-1f28-445c-8966-fdcb967c8e3c的用戶 Y 能夠訪問testbucket456存儲桶上的讀/寫之外,沒有任何 Cognito 用戶對任何 S3 存儲桶具有讀/寫訪問權限。 但不幸的是,這並沒有奏效。
因此,我已將以下存儲桶策略添加到testbucket456存儲桶中:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
},
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::testbucket456/*"
},
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::testbucket456"
}
]
}
但這仍然沒有用,每當我嘗試調用此方法時,我仍然遇到訪問被拒絕的問題:
const listObjectParams = {
Bucket: 'testbucket456',
};
s3.listObjects(listObjectParams, (err: any, data: any) => {
if (err) {
console.log(err);
return;
}
console.log(data);
console.log(`Successfully listed objects in `);
});
筆記
當我將testbucket456存儲桶的策略設置為
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::testbucket456/*"
},
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::testbucket456"
}
]
}
然后我可以使用 Cognito 用戶訪問(列出對象)存儲桶,我認為問題出在存儲桶的策略本身,特別是在Principal字段中。
可能的問題
- 也許經過身份驗證的角色必須具有承擔自定義角色的權限
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
}
像下面這樣:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::testbucket456"
]
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
}
]
}
有人可以確認嗎?
1 個解決方案
解決方案1
0 已采納 2023-01-24 12:29:51
這個答案就是解決方案,我不得不更改賦予 Cognito 用戶的默認角色
僅授予特定用戶對 S3 存儲桶的訪問權限,無公共訪問權限
[英]Grant access to an S3 bucket for a specific user only, no public access
如何在沒有 AWS cognito 身份驗證的情況下使用 Flutter Amplify 訪問 S3 存儲桶
[英]How to access S3 bucket using Flutter Amplify without authentication from AWS cognito
如何允許經過 Cognito 身份驗證的用戶獲得對 s3 存儲桶的公共訪問權限
[英]how to allow cognito authenticated users to get public access to s3 bucket
訪問 S3 存儲桶中的選擇性文件夾 visa AWS Transfer User
[英]Access selective folders in S3 bucket visa AWS Transfer User
使用 cloudformation 模板向公眾授予對 s3 存儲桶對象的讀取和查看權限
[英]give public read and view access to s3 bucket objects using cloudformation template
為什么即使我在存儲桶策略中授予用戶也無法訪問我們的 S3 存儲桶?
[英]why user can't access our S3 bucket even after I granted in the bucket policy?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
允許訪問 Cognito 用戶的 AWS S3 存儲桶策略
如何添加“s3:ListBucket/”以授予對存儲桶的訪問權限
僅授予特定用戶對 S3 存儲桶的訪問權限,無公共訪問權限
如何在沒有 AWS cognito 身份驗證的情況下使用 Flutter Amplify 訪問 S3 存儲桶
如何允許經過 Cognito 身份驗證的用戶獲得對 s3 存儲桶的公共訪問權限
用戶明智地限制訪問 s3 存儲桶媒體 URL (AWS)
基於用戶標簽確定 S3 Bucket 訪問的 IAM 策略
訪問 S3 存儲桶中的選擇性文件夾 visa AWS Transfer User
使用 cloudformation 模板向公眾授予對 s3 存儲桶對象的讀取和查看權限
為什么即使我在存儲桶策略中授予用戶也無法訪問我們的 S3 存儲桶?
相關標簽