我有以下權限的用戶foo(它不屬於任何團體的成員):我需要完全訪問亞馬遜S3用戶單桶
{
"Statement": [
{
"Sid": "Stmt1308813201865",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bar"
}
]
}
該用戶卻似乎無法上傳或做任何事情,直到我授予完全訪問經過身份驗證的用戶(可能適用於任何人)。這仍然不會讓用戶更改權限,因爲boto在上載後發生錯誤時會嘗試執行key.set_acl('public-read')。
理想情況下,此用戶可以完全訪問bar存儲桶,沒有別的,我做錯了什麼?
您需要授予s3:ListBucket權限才能訪問存儲桶本身。嘗試下面的政策。
{
"Statement": [
{
"Effect": "Allow",
"Action": "S3:*",
"Resource": "arn:aws:s3:::bar/*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bar",
"Condition": {}
}
]
}
選擇的答案並沒有爲我工作,但此人做:
{
"Statement": [
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
],
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
}
信用:http://mikeferrier.com/2011/10/27/granting-access-to-a-single-s3-bucket-using-amazon-iam/
這允許列出所有存儲桶,並且不會限制對相關存儲桶的訪問。 –
對我來說+1:投票的人沒有與Ruby的霧寶石一起工作,但這個conf工作。 –
@Thanh Nguyen:錯了。它將列出所有的桶,但僅提供對策略中的所述桶的訪問。 – slayedbylucifer
這對我的作品:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Resource": "arn:aws:s3:::bucket_name_here"
},
{
"Effect": "Allow",
"Action": [
"s3:*Object*",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
],
"Resource": "arn:aws:s3:::bucket_name_here/*"
}
]
}
如果你已經因爲你無法弄清楚爲什麼Cyberduck無法設置對象ACL,但它可以與另一個客戶端(如Panic Transmit)一起工作,因此解決方案如下:
您需要添加s3:GetBucketAcl到您的動作列表,例如:
{
"Statement": [
{
"Sid": "Stmt1",
"Action": [
"s3:GetBucketAcl",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::your-bucket-name"
}
]
}
當然,如果你是s3:*限制較少,但我認爲這是很好的瞭解你不需要做到這一點。
有一個在Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket
只需複製並粘貼相應的規則,將「資源」關鍵是你斗的ARN中的所有語句官方AWS文檔。
對於programamtic訪問的政策應該是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::bar"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::bar/*"]
}
]
}
而對於控制檯訪問訪問應該是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::bar*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::bar"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::bar/*"]
}
]
}
@ cloudberryman的答案是正確的,但我喜歡做的事情爲儘可能短。這個答案可以簡化爲:
{
"Statement":[
{
"Effect":"Allow",
"Action":"S3:*",
"Resource":[
"arn:aws:s3:::bar",
"arn:aws:s3:::bar/*"
]
}
]
}
一些細微差別:似乎'bar/*'需要訪問'bar'桶中的對象,而'bar'則需要列出/修改存儲桶本身。 – phyzome
使用Cyberduck通過上述許可訪問S3似乎不起作用。 CyberDock可能需要@Suman提及的ListAllMyBuckets。但是,如果您使用[timkay.com](http://www.timkay.com/aws/)中的命令行工具,則此功能完美無缺。 –
非常感謝。我F $%#@^ING討厭s3,其繁瑣的政策。只是浪費了2個小時,直到我終於找到解決方案。 – Nimo