accountname-dev和accountname-prod account-dev能够在BucketName / DEVELOPMENT account-prod能够在BucketName / PRODUCTION 每当我使用策略生成器时,看起来我在某种程度上做错了。添加标准管理策略可以很好地访问文档,但我的自定义策略不能。
我使用亚马逊的IAM策略创建屏幕为特定帐户添加了策略。
我正在尝试使用的政策是:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "[Redacted]",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Condition": {
"StringLike": {
"s3:prefix": "DEVELOPMENT/*"
}
},
"Resource": [
"arn:aws:s3:::RedactedBucketName"
]
}
]
}
答案 0 :(得分:1)
我可以这样做:
仅为单个用户分配IAM用户策略(不需要S3存储桶策略)。
检查以下用户政策。我是为用户account-dev创建的,这意味着您必须将此IAM政策应用于account-dev用户。
{
"Statement": [
{
"Sid": "AllowGroupToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowRootLevelListingOfDevelopmentBucket",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::development-bucket-name"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
""
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "AllowListBucketIfSpecificPrefixIsIncludedInRequest",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::development-bucket-name"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"DEVELOPMENT/*"
]
}
}
},
{
"Sid": "AllowUserToReadWriteObjectData",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::development-bucket-name/DEVELOPMENT/*"
]
}
]
}
AllowGroupToSeeBucketListInTheConsole和AllowRootLevelListingOfDevelopmentBucket。如果您不希望用户在S3控制台上工作并希望他只使用API,那么您可以省略这两个节。
同样,您已为account-prod创建了另一个用户策略,并将其分配给该用户。