針對boto3 S3 API調用的文件夾特定IAM權限

所以我有一個用戶，其IAM權限設置爲以下。它只是爲了讓他們創建/刪除/列表/等。對象存儲在「Target_Folder /」中。針對boto3 S3 API調用的文件夾特定IAM權限

{ 
"Version": "2012-10-17", 
"Statement": [ 
    { 
     "Sid": "Stmt123456789", 
     "Effect": "Allow", 
     "Action": [ 
      "s3:CreateBucket", 
      "s3:DeleteObject", 
      "s3:GetObject", 
      "s3:ListBucket", 
      "s3:PutObject" 
     ], 
     "Resource": [ 
      "arn:aws:s3:::bucket/Target_Folder/*" 
     ] 
    } 
    ] 
}

使用boto3，我在配置中嵌入了相關的aws_access_key_id和aws_secret_access_key。這樣做後，我發現我無法瓶坯「//TARGET_FOLDER」的中的任何動作，如：

import boto3 
import boto.s3.transfer 
#Need to manually import S3Transfer() for some reason. 
from boto.s3.transfer import S3Transfer 

bucket = 'bucket' 
prefix = 'Test_Folder/' 

client = boto3.client(s3) 

#Attempt to print objects under the Target_Folder 
response = client.list_objects(Bucket = bucket, Prefix = prefix) 
for file in response['Contents']: 
    print(file['key']) 


#Attempt to upload file 
transfer = S3Transfer(client) 
transfer.upload_file('C:/filepath/file', bucket, prefix)

最終，不管用什麼辦法，我收到一個"botocore.exceptions.ClientError: An error occured (SignatureDoesNotMatch)...."。相反，如果我使用具有更多開放存儲桶權限的密鑰/祕密密鑰對，則不存在與API交互的問題。如果已經在另一個線程中得到了回答或澄清，我很抱歉，在搜索過程中我找不到任何好的東西。

來源

2017-07-10 Sean

首先，s3存儲桶bucket應該存在。

您需要在S3存儲分配s3:ListBucket權限，那麼你就可以得到該目的的訪問權限在此鬥

{ 
"Version": "2012-10-17", 
"Statement": [ 
    { 
     "Effect":"Allow", 
     "Action":[ 
      "s3:ListBucket", 
      "s3:GetBucketLocation" 
     ], 
     "Resource":"arn:aws:s3:::bucket" 
    }, 
    { 
     "Sid": "Stmt123456789", 
     "Effect": "Allow", 
     "Action": [ 
      "s3:CreateBucket", # and this should be removed. 
      "s3:DeleteObject", 
      "s3:GetObject", 
      "s3:ListBucket", 
      "s3:PutObject" 
     ], 
     "Resource": [ 
      "arn:aws:s3:::bucket/Target_Folder/*" 
     ] 
    } 
    ] 
}

來源

2017-07-13 05:44:09 BMW

針對boto3 S3 API調用的文件夾特定IAM權限

回答

相關問題