我正在尝试设置对我的某个存储桶的安全访问,但我无法使其正常工作,即使我非常确定一切正常。
我有这个桶,让我们称之为我在爱尔兰创建的mybucket。
它包含两个文件夹dev和prod。
我创建了两个用户:
mybucket-prod,ARN:arn:aws:iam::XXXXXXXXX:user/mybucket-prod mybucket-dev,ARN:arn:aws:iam::XXXXXXXXX:user/mybucket-dev 这些用户中的每一个都有一个政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1439909068000",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::mybucket/dev/*"
]
}
]
}
( mybucket-prod ,资源= "arn:aws:s3:::mybucket/prod/*")
这是桶策略:
{
"Version": "2012-10-17",
"Id": "Policy1439908568053",
"Statement": [
{
"Sid": "Stmt1439908459631",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXX:user/mybucket-dev"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObjectAcl",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::mybucket/dev/*"
},
{
"Sid": "Stmt1439908500795",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXX:user/mybucket-prod"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObjectAcl",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::mybucket/prod/*"
}
]
}
对于这两个用户而言,我无法使其发挥作用。我尝试创建一个新的访问密钥,没有任何运气。
我做错了什么?
也许值得注意的是,我将其他存储桶的内容复制到了这个存储区,通过访问亚马逊的网络界面,点击前一个存储桶中的“dev”和“prod”,选择“复制”,然后继续mybucket并选择“粘贴”?
我也尝试了策略模拟器,结果是肯定的(允许)。
我正在使用boto(Python),但正如我所说,我没有更改代码中的任何内容,并且因为我更改了存储桶名称而发生错误。我测试了一个非常基本的代码,返回相同的错误:
from boto.s3.connection import S3Connection
from boto.s3.key import Key
con = S3Connection('KEY', 'SECRET', host='s3-eu-west-1.amazonaws.com')
print Key(bucket=con.get_bucket('mybucket'), name="/prod/2/documents/1-demo.pdf")
我得到了:
Traceback (most recent call last):
File "test.py", line 6, in <module>
print Key(bucket=con.get_bucket('mybucket'), name="/prod/2/contracts/1/documents/1-cillit.pdf")
File "/usr/lib/python2.7/site-packages/boto/s3/connection.py", line 502, in get_bucket
return self.head_bucket(bucket_name, headers=headers)
File "/usr/lib/python2.7/site-packages/boto/s3/connection.py", line 535, in head_bucket
raise err
boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden
答案 0 :(得分:2)
经过数小时的搜索,我找到了解决方案。
@ Michael-sqlbot通过扩展授权让我走上正轨。
事实证明,我需要添加一个额外的权限才能使一切正常(我不知道为什么它之前有效!)。
这是新的存储桶策略:
{
"Version": "2012-10-17",
"Id": "Policy1439908568053",
"Statement": [
{
"Sid": "Stmt1439972574242",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::XXXXXXXXX:user/mybucket-dev",
"arn:aws:iam::XXXXXXXXX:user/mybucket-prod"
]
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::mybucket"
},
{
"Sid": "Stmt1439908459631",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXX:user/mybucket-dev"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObjectAcl",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::mybucket/dev/*"
},
{
"Sid": "Stmt1439908500795",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXX:user/mybucket-prod"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObjectAcl",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::mybucket/prod/*"
}
]
}
新权限是将“ListBucket”添加到存储桶,以便连接到它的用户(mybucket-dev和mybucket-prod)。添加此新权限后,一切正常。
我还删除了附加给用户的政策。
我很想知道我所做的是否正确或者我做错了什么(权限“ListBucket”不是太宽?是否正确删除了用户的政策?)
但是,现在它有效了!