1. 首頁
  2. 問答
  3. AWS S3 403對新IAM用戶新創建的IAM內聯策略的禁止錯誤

AWS S3 403對新IAM用戶新創建的IAM內聯策略的禁止錯誤

2016-06-26 62 views
0

我有一個全新的IAM用戶,我想要上傳&對我新創建的存儲桶的讀取權限 - myappAWS S3 403對新IAM用戶新創建的IAM內聯策略的禁止錯誤

這是我現在用我的用戶的策略:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
      "Effect": "Allow", 
      "Action": [ 
       "s3:GetBucketLocation", 
       "s3:ListAllMyBuckets" 
      ], 
      "Resource": "arn:aws:s3:::*" 
     }, 
     { 
      "Effect": "Allow", 
      "Action": [ 
       "s3:ListBucket" 
      ], 
      "Resource": [ 
       "arn:aws:s3:::myapp" 
      ] 
     }, 
     { 
      "Effect": "Allow", 
      "Action": [ 
       "s3:PutObject", 
       "s3:GetObject", 
       "s3:DeleteObject" 
      ], 
      "Resource": [ 
       "arn:aws:s3:::myapp/*" 
      ] 
     } 
    ] 
}

有了這個政策,我可以登錄到控制檯,我可以創建文件夾,我可以將圖片上傳到這些文件夾。

然而,當我試圖通過我的應用程序上傳圖片,這就是我得到:

Excon::Errors::Forbidden at /jobs 
Expected(200) <=> Actual(403 Forbidden) 
excon.error.response 
    :body   => "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>0FF1D4848595DCFB</RequestId><HostId>+RrQvNFwV2hAcYPK3ZJJYzy5uiA7Aag0oc1Gpp3hENJ9lzJz453j8qJeLbdQ8jN4cc3ViRJ1lEg=</HostId></Error>" 
    :cookies  => [ 
    ] 
    :headers  => { 
    "Connection"  => "close" 
    "Content-Type"  => "application/xml" 
    "Date"    => "Sat, 25 Jun 2016 18:54:24 GMT" 
    "Server"   => "AmazonS3" 
    "x-amz-id-2"  => "+R3ViRJ1lEg=" 
    "x-amz-request-id" => "0FF1DCFB" 
    } 
    :host   => "s3.amazonaws.com" 
    :local_address => "192.168.1.102" 
    :local_port => 23456 
    :path   => "/logos/company/logo/48/amped-logo.png" 
    :port   => 443 
    :reason_phrase => "Forbidden" 
    :remote_ip  => "xx.xx.xxx.xxx" 
    :status  => 403 
    :status_line => "HTTP/1.1 403 Forbidden\r\n"

這裏是我的CORS規則:

<?xml version="1.0" encoding="UTF-8"?> 
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> 
    <CORSRule> 
     <AllowedOrigin>http://localhost:3000</AllowedOrigin> 
     <AllowedMethod>HEAD</AllowedMethod> 
     <AllowedMethod>GET</AllowedMethod> 
     <AllowedMethod>PUT</AllowedMethod> 
     <AllowedMethod>POST</AllowedMethod> 
     <AllowedMethod>DELETE</AllowedMethod> 
     <ExposeHeader>ETag</ExposeHeader> 
     <AllowedHeader>*</AllowedHeader> 
    </CORSRule> 
</CORSConfiguration>

這是我config/initializers/carrierwave.rb文件:

CarrierWave.configure do |config| 
    config.fog_credentials = { 
    provider:    'AWS', 
    aws_access_key_id:  ENV["MYAPP_S3_KEY"], 
    aws_secret_access_key: ENV["MYAPP_SECRET_KEY"] 
    } 
    config.fog_directory = ENV["MYBUCKET"] 
end

什麼可能導致這種情況,我該如何解決?

來源

2016-06-26 marcamillion

回答

1

我其實只是想通了,這是一件小事。

我只需要將"s3:PutObjectAcl"添加到我的政策中。

所以,現在,我的政策是這樣的:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
      "Effect": "Allow", 
      "Action": [ 
       "s3:GetBucketLocation", 
       "s3:ListAllMyBuckets" 
      ], 
      "Resource": "arn:aws:s3:::*" 
     }, 
     { 
      "Effect": "Allow", 
      "Action": [ 
       "s3:ListBucket" 
      ], 
      "Resource": [ 
       "arn:aws:s3:::myapp" 
      ] 
     }, 
     { 
      "Effect": "Allow", 
      "Action": [ 
       "s3:PutObject", 
       "s3:PutObjectAcl", 
       "s3:GetObject", 
       "s3:DeleteObject" 
      ], 
      "Resource": [ 
       "arn:aws:s3:::myapp/*" 
      ] 
     } 
    ] 
}

現在的作品。

我從this answer得到了小費,這節省了我的培根。

來源

2016-06-26 05:53:43 marcamillion

相關問題

 相關問題