我有一个名为Role1的角色。该角色适用以下政策。
我有一个具有角色1的IAM角色的ec2实例。
当我尝试conn.get_bucket('fooo_udata')时,我收到403错误。
有关于此的任何想法吗?
{
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListAllMyBuckets"],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket","s3:GetBucketLocation","s3:*"],
"Resource": ["arn:aws:s3:::fooo_uadata/","arn:aws:s3:::fooo_uadata/*"]
},
{
"Effect": "Allow",
"Action": ["s3:PutObject","s3:GetObject","s3:DeleteObject"],
"Resource": ["arn:aws:s3:::fooo_uadata/","arn:aws:s3:::fooo_uadata/*"]
}
]
}
答案 0 :(得分:3)
我认为你不想在你的存储桶策略中包含“/”字符。所以,尝试改变:
{
"Effect": "Allow",
"Action": ["s3:ListBucket","s3:GetBucketLocation","s3:*"],
"Resource": ["arn:aws:s3:::fooo_uadata/","arn:aws:s3:::fooo_uadata/*"]
},
对此:
{
"Effect": "Allow",
"Action": ["s3:ListBucket","s3:GetBucketLocation","s3:*"],
"Resource": ["arn:aws:s3:::fooo_uadata","arn:aws:s3:::fooo_uadata*"]
},
由于您的广告资源名称为foo_uadata而非foo_uadata/。