Hoo*_*ini 1 amazon-s3 amazon-web-services amazon-iam
我有一个名为 ... 的 S3 存储桶,my-bucket此存储桶内有几个子文件夹,我们称它们为:sub-folder1、sub-folder2等
我希望my-bucket-user拥有该存储桶的读取权限和所有子文件夹的完全控制权限(因此该用户无法在根级别写入)。
我已经尝试了以下存储桶策略,该策略专门授予每个子文件夹的权限...但如果我有很多子文件夹,此策略会变得太长。
{
"Id": "MyBucketPolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListPermissionOnMyBucket",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"arn:aws:iam::773643377756:user/my-bucket-user"
]
}
},
{
"Sid": "FullControlAccessOnSubFolder1",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/sub-folder1/*",
"Principal": {
"AWS": [
"arn:aws:iam::773643377756:user/my-bucket-user"
]
}
},
{
"Sid": "FullControlAccessOnSubFolder2",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/sub-folder2/*",
"Principal": {
"AWS": [
"arn:aws:iam::773643377756:user/my-bucket-user"
]
}
}
]
}
有没有更好的方法来编写这个策略?
此策略允许列出存储桶的全部内容,但仅上传/下载到子文件夹(而不是存储桶的根目录):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:ListBucket",
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*/*"
}
]
}
基本上,该表达式my-bucket/*/*强制要求/对象的 Key 中包含 a,这意味着它位于子文件夹中。
| 归档时间: |
|
| 查看次数: |
483 次 |
| 最近记录: |