I'm following this tutorial to a tee on how to grant single user access to a bucket.
我的政策与他们的政策完全相同:
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowGroupToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-company"],
"Condition":{"StringEquals":{"s3:prefix":["","/"],"s3:delimiter":["/"]}}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-company"],
"Condition":{"StringLike":{"s3:prefix":["home/${aws:username}/*"]}}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Action":["s3:*"],
"Effect":"Allow",
"Resource": ["arn:aws:s3:::my-company/home/${aws:username}/*"]
}
]
}
我的用户名为bob
,其政策已正确保存到他的IAM帐户中。
我可以登录该帐户,并以bob
为用户查看我所有可用的存储分区。但是,如果我尝试访问广告管理系统my-company
,我会获得Site says : Access Denied
。
我在这里缺少什么?
答案 0 :(得分:0)
这是由于某些第三方S3客户端发出ListBucket请求以列出存储桶根,而根本没有提供“前缀”。这会导致“拒绝访问”,因为this blog post中的策略要求“前缀”为“”,“home /”或用户主目录,而不是完全缺席。
如果遇到此类问题,请添加以下块以授权此请求。
修复:
{
"Sid": "AllowRootListingWithoutPrefix",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-company"
],
"Condition": {
"Null": {
"s3:prefix": "true"
},
"StringEquals": {
"s3:delimiter": [
"/"
]
}
}
}