Kit*_*nde 32 amazon-s3 amazon-web-services user-permissions amazon-iam
我有一个具有以下权限的用户foo(它不是任何组的成员):
{
"Statement": [
{
"Sid": "Stmt1308813201865",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bar"
}
]
}
然而,在我授予对经过身份验证的用户(可能适用于任何人)的完全访问权限之前,该用户似乎无法上传或执行任何操作.这仍然不允许用户更改权限,因为boto在尝试执行上传后会抛出错误key.set_acl('public-read').
理想情况下,这个用户可以完全访问bar存储桶,没有别的,我做错了什么?
小智 41
您需要向存储桶本身授予s3:ListBucket权限.请尝试以下政策.
{
"Statement": [
{
"Effect": "Allow",
"Action": "S3:*",
"Resource": "arn:aws:s3:::bar/*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bar",
"Condition": {}
}
]
}
Sum*_*man 20
选定的答案对我不起作用,但是这个答案:
{
"Statement": [
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
],
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
}
图片来源:http://mikeferrier.com/2011/10/27/granting-access-to-a-single-s3-bucket-using-amazon-iam/
有一个官方 AWS 文档:编写 IAM 策略:如何授予对 Amazon S3 存储桶的访问权限
只需复制并粘贴适当的规则,然后将所有语句中的“资源”键更改为存储桶的 ARN。
对于编程访问,策略应该是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::bar"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::bar/*"]
}
]
}
对于控制台访问访问应该是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::bar*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::bar"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::bar/*"]
}
]
}
| 归档时间: |
|
| 查看次数: |
28077 次 |
| 最近记录: |