2011-11-20 98 views
25

我有以下權限的用戶foo(它不屬於任何團體的成員):我需要完全訪問亞馬遜S3用戶單桶

{ 
    "Statement": [ 
    { 
     "Sid": "Stmt1308813201865", 
     "Action": "s3:*", 
     "Effect": "Allow", 
     "Resource": "arn:aws:s3:::bar" 
    } 
    ] 
} 

該用戶卻似乎無法上傳或做任何事情,直到我授予完全訪問經過身份驗證的用戶(可能適用於任何人)。這仍然不會讓用戶更改權限,因爲在上載後發生錯誤時會嘗試執行key.set_acl('public-read')

理想情況下,此用戶可以完全訪問bar存儲桶,沒有別的,我做錯了什麼?

回答

36

您需要授予s3:ListBucket權限才能訪問存儲桶本身。嘗試下面的政策。

{ 
    "Statement": [ 
    { 
     "Effect": "Allow", 
     "Action": "S3:*", 
     "Resource": "arn:aws:s3:::bar/*", 
     "Condition": {} 
    }, 
    { 
     "Effect": "Allow", 
     "Action": [ 
     "s3:ListBucket" 
     ], 
     "Resource": "arn:aws:s3:::bar", 
     "Condition": {} 
    } 
    ] 
} 
+4

一些細微差別:似乎'bar/*'需要訪問'bar'桶中的對象,而'bar'則需要列出/修改存儲桶本身。 – phyzome

+0

使用Cyber​​duck通過上述許可訪問S3似乎不起作用。 Cyber​​Dock可能需要@Suman提及的ListAllMyBuckets。但是,如果您使用[timkay.com](http://www.timkay.com/aws/)中的命令行工具,則此功能完美無缺。 –

+4

非常感謝。我F $%#@^ING討厭s3,其繁瑣的政策。只是浪費了2個小時,直到我終於找到解決方案。 – Nimo

18

選擇的答案並沒有爲我工作,但此人做:

{ 
    "Statement": [ 
    { 
     "Action": "s3:*", 
     "Effect": "Allow", 
     "Resource": [ 
     "arn:aws:s3:::my-bucket", 
     "arn:aws:s3:::my-bucket/*" 
     ] 
    } 
    ], 
    "Statement": [ 
    { 
     "Effect": "Allow", 
     "Action": "s3:ListAllMyBuckets", 
     "Resource": "arn:aws:s3:::*" 
    } 
    ] 
} 

信用:http://mikeferrier.com/2011/10/27/granting-access-to-a-single-s3-bucket-using-amazon-iam/

+3

這允許列出所有存儲桶,並且不會限制對相關存儲桶的訪問。 –

+2

對我來說+1:投票的人沒有與Ruby的霧寶石一起工作,但這個conf工作。 –

+4

@Thanh Nguyen:錯了。它將列出所有的桶,但僅提供對策略中的所述桶的訪問。 – slayedbylucifer

0

這對我的作品:

{ 
    "Statement": [ 
     { 
      "Effect": "Allow", 
      "Action": [ 
       "s3:ListBucket", 
       "s3:GetBucketLocation", 
       "s3:ListBucketMultipartUploads", 
       "s3:ListBucketVersions" 
      ], 
      "Resource": "arn:aws:s3:::bucket_name_here" 
     }, 
     { 
      "Effect": "Allow", 
      "Action": [ 
       "s3:*Object*", 
       "s3:ListMultipartUploadParts", 
       "s3:AbortMultipartUpload" 
      ], 
      "Resource": "arn:aws:s3:::bucket_name_here/*" 
     } 
    ] 
} 
0

如果你已經因爲你無法弄清楚爲什麼Cyber​​duck無法設置對象ACL,但它可以與另一個客戶端(如Panic Transmit)一起工作,因此解決方案如下:

您需要添加s3:GetBucketAcl到您的動作列表,例如:

{ 
    "Statement": [ 
     { 
      "Sid": "Stmt1", 
      "Action": [ 
       "s3:GetBucketAcl", 
       "s3:ListBucket", 
       "s3:DeleteObject", 
       "s3:GetObject", 
       "s3:GetObjectAcl", 
       "s3:PutObject", 
       "s3:PutObjectAcl" 
      ], 
      "Effect": "Allow", 
      "Resource": "arn:aws:s3:::your-bucket-name" 
     } 
    ] 
} 

當然,如果你是s3:*限制較少,但我認爲這是很好的瞭解你不需要做到這一點。

1

有一個在Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket

只需複製並粘貼相應的規則,將「資源」關鍵是你斗的ARN中的所有語句官方AWS文檔。

對於programamtic訪問的政策應該是:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
      "Effect": "Allow", 
      "Action": ["s3:ListBucket"], 
      "Resource": ["arn:aws:s3:::bar"] 
     }, 
     { 
      "Effect": "Allow", 
      "Action": [ 
       "s3:PutObject", 
       "s3:PutObjectAcl", 
       "s3:GetObject", 
       "s3:GetObjectAcl", 
       "s3:DeleteObject" 
      ], 
      "Resource": ["arn:aws:s3:::bar/*"] 
     } 
    ] 
} 

而對於控制檯訪問訪問應該是:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
      "Effect": "Allow", 
      "Action": [ 
       "s3:GetBucketLocation", 
       "s3:ListAllMyBuckets" 
      ], 
      "Resource": "arn:aws:s3:::bar*" 
     }, 
     { 
      "Effect": "Allow", 
      "Action": ["s3:ListBucket"], 
      "Resource": ["arn:aws:s3:::bar"] 
     }, 
     { 
      "Effect": "Allow", 
      "Action": [ 
       "s3:PutObject", 
       "s3:PutObjectAcl", 
       "s3:GetObject", 
       "s3:GetObjectAcl", 
       "s3:DeleteObject" 
      ], 
      "Resource": ["arn:aws:s3:::bar/*"] 
     } 
    ] 
} 
0

@ cloudberryman的答案是正確的,但我喜歡做的事情爲儘可能短。這個答案可以簡化爲:

{ 
    "Statement":[ 
     { 
     "Effect":"Allow", 
     "Action":"S3:*", 
     "Resource":[ 
      "arn:aws:s3:::bar", 
      "arn:aws:s3:::bar/*" 
     ] 
     } 
    ] 
}