我已经在存储桶上设置了一个权限,允许"Authenticated Users"从我创建的存储桶中列出,上传和删除.这似乎允许我将文件上传到存储桶,但似乎这个权限不包括从存储桶下载文件,而是需要为存储桶定义策略.我不清楚如何制定这样的政策.我在我应该填写的内容中尽可能地猜测了策略生成器,但是当我将其粘贴到存储桶的新策略时(因为消息失败Action does not apply to any resource(s) in statement - Action "s3:ListBucket" in Statement "Stmt-some-number"),结果不是有效的策略.有人可以解释以下策略的错误,以及如何正确设置它以允许经过身份验证的用户从存储桶中检索文件?
{
"Id": "Policy-some-number",
"Statement": [
{
"Sid": "Stmt-some-number",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
c4u*_*elf 83
s3:GetObject适用于存储桶中的对象,因此资源是正确的:"Resource": "arn:aws:s3:::my-bucket/*".
s3:ListBucket 适用于Bucket本身,因此资源应该是 "Resource": "arn:aws:s3:::my-bucket"
您的结果政策应该类似于:
{
"Id": "Policy-some-number",
"Statement": [
{
"Sid": "Stmt-some-number",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "Stmt-some-other-number",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
moo*_*oot 35
只是为了赞美@ c4urself答案.答案也有助于解决我的问题,但AWS文档中有一些指示,您可以添加多个资源,只需使用[]将它们作为列表. http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html#vpc-endpoints-s3-bucket-policies
{
"Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"]
}
]
}
| 归档时间: |
|
| 查看次数: |
20575 次 |
| 最近记录: |