我正在将我的应用程序的个人资料图片存储在AWS S3中。我可以在本地主机上运行它,但是在生产环境中运行时会出现错误:
[Wed Nov 04 00:34:53.554807 2020] [:error] [pid 14967] [remote 172.31.2.3:112] botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
以下是我与BuckObject有关的存储桶策略的一部分:
"Version": "2008-10-17",
"Statement": [
{
"Sid": "*****",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::******role/aws-elasticbeanstalk-ec2-role"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::******/resources/environments/logs/*"
},
我不确定为什么它可以在我的本地主机上运行,但是在我部署它时却不能。任何帮助将不胜感激。
答案 0 :(得分:0)
我终于能够使它起作用。它要求我为存储桶策略中使用的角色制定新的角色策略。这是我的自定义角色政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-2-*****/profile-pictures/*",
"arn:aws:s3:::elasticbeanstalk-us-east-2-*****"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:GetAccessPoint",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:ListJobs"
],
"Resource": "*"
}
]
}
我不确定为什么必须制定这项政策。在我的存储桶策略中,该角色已经允许执行这些操作。可能是我必须明确指定个人资料图片资源文件夹,但不确定。