为AWS联合用户提供对s3存储桶的访问权限

时间:2014-06-09 13:46:38

标签: amazon-s3 token bucket federated

移动电话可以使用以下存储桶策略正确地将其内容上传到IAM用户下的s3存储桶

{
    "Version": "2008-10-17",
    "Id": "redacted",
    "Statement": [
        {
            "Sid": "redacted",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::redacted:user/iam_user"
            },
            "Action": "s3:ListBucketMultipartUploads",
            "Resource": "arn:aws:s3:::bucket_name"
        },
        {
            "Sid": "redacted",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::202695660434:user/iam_user"
            },
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:GetObject",
                "s3:ListMultipartUploadParts",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::bucket_name/uploads/*"
        }
    ]
}

我想遵循最佳做法,并允许联盟用户从移动设备上传到此存储桶。我该如何调整政策?我当前可以创建联合用户信用,但无法正确上传。此政策未能保存

{
    "Version": "2008-10-17",
    "Id": "redacted",
    "Statement": [
        {
            "Action": [
                "sts:GetFederationToken"
            ],
            "Sid": "redacted",
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Sid": "redacted",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::redacted:user/iam_user"
            },
            "Action": "s3:ListBucketMultipartUploads",
            "Resource": "arn:aws:s3:::bucket_name"
        },
        {
            "Sid": "redacted",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::202695660434:user/iam_user"
            },
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:GetObject",
                "s3:ListMultipartUploadParts",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::bucket_name/uploads/*"
        }
    ]
}

1 个答案:

答案 0 :(得分:0)

我遇到了同样的情况;我需要一些用户在特定存储桶上传文件而某些用户从某些存储桶下载数据的地方;

我计划有一个lambda函数,它将代表用户请求访问以从特定存储桶读取/写入,并在本地提供文件。我不确定这是否是最好的做法之一;

我将围绕如何调用lambda函数提供安全性。