我已经成功创建了一个简单的HTML表单,将上传的文件POST到我的Amazon S3存储桶。我按照这些说明操作:
http://aws.amazon.com/articles/1434
现在我正在尝试为可以执行HTML表单POST的用户创建最小策略。
以下是设置:
userID: s3-uploader<br/>
ACCESS-KEY-ID: AXAXAXAXAXAXAXAXAXAX
这是HTML表单:
<!DOCTYPE html>
<html>
<head>
<title>S3 POST Form</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
</head>
<body>
<form action="https://<cname-for-upload-bucket>/" method="post" enctype="multipart/form-data">
<input type="hidden" name="key" value="foo/${filename}">
<input type="hidden" name="AWSAccessKeyId" value="AXAXAXAXAXAXAXAXAXAX">
<input type="hidden" name="acl" value="private">
<input type="hidden" name="success_action_redirect"
value="https://s3.amazonaws.com/<bucket-01-name>/upload-success.html">
<input type="hidden" name="policy"
value="eyJleHBpcmF0aW9uIjogIjIwMTQtMTItMTNUMDA6MDA6MDBaIiwKICAgICJjb25kaXRpb25zIjogWwogICAgICAgIHsiYnVja2V0IjogInMzLXVwLmdyaWR3YXJkLm5ldCJ9LAogICAgICAgIFsic3RhcnRzLXdpdGgiLCAiJGtleSIsICJwZWQvIl0sCiAgICAgICAgeyJhY2wiOiAicHJpdmF0ZSJ9LAogICAgICAgIHsic3VjY2Vzc19hY3Rpb25fcmVkaXJlY3QiOiAiaHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tL2dkd2QvdXBsb2FkLXN1Y2Nlc3MuaHRtbCJ9LAogICAgICAgIFsic3RhcnRzLXdpdGgiLCAiJENvbnRlbnQtVHlwZSIsICIiXSwKICAgICAgICBbImNvbnRlbnQtbGVuZ3RoLXJhbmdlIiwgMCwgMTA0ODU3Nl0KICAgIF0KfQ==">
<input type="hidden" name="signature" value="WnbMCo0OY7g8oYkfxrVb8np4l94=">
<input type="hidden" name="Content-Type" value="image/jpeg">
<!-- Include any additional input fields here -->
File to upload to S3:
<input name="file" type="file">
<br>
<input type="submit" value="Upload File to S3">
</form>
</body>
</html>
...然后我知道这是表单隐藏输入'policy'的未编码版本:
{"expiration": "2014-12-13T00:00:00Z",
"conditions": [
{"bucket": "<cname-for-upload-bucket>"},
["starts-with", "$key", "foo/"],
{"acl": "private"},
{"success_action_redirect": "https://s3.amazonaws.com/<bucket-01-name>/upload-success.html"},
["starts-with", "$Content-Type", ""],
["content-length-range", 0, 1048576]
]
}
当userId:s3-uploader的策略为:
时,这一切都有效{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
...但如果我将政策更改为更明确的政策,但仍然看似合理,我会得到一个&lt; AccessDenied /&gt;消息来自完全相同的HTML表单帖子。
这是我尝试过的限制性更强的政策:
{
"Statement": [
{
"Sid": "AllowS3uploader",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:PutBucketAcl",
"s3:PutBucketPolicy",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<cname-for-upload-bucket>",
"Principal": {
"AWS": [
"arn:aws:iam::756342427722:user/s3-uploader"
]
}
}
]
}
我在这里阅读了文档,没有得到额外的清晰度:
http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingIAMPolicies.html
所以我问我的同事Overflow-ites,我错过了什么?我真的不想让s3-uploader userId能够在桶上做任何动作(即's3:*')。
答案 0 :(得分:3)
您在资源部分中使用的ARN是错误的,您必须使用实际的存储桶名称而不是CNAME条目。