我尝试使用联合令牌来管理对S3存储桶中文件夹的访问。但是,在我的示例代码中,用户可以访问整个存储桶。以下规范成功,但我希望它基于此文档失败: http://blogs.aws.amazon.com/security/post/Tx1DM54S2Q7TC8U/Understanding-the-API-options-for-securely-delegating-access-to-your-AWS-account
describe "assumed credentials" do
let(:policy) {
{
"Version": "2012-10-17",
"Statement": [
{
"Effect":"Allow",
"Action":"s3:ListBucket",
"Resource":["arn:aws:s3:::bucket-name"],
"Condition":{"StringLike":{"s3:prefix":"000/"}}
}
]
}
}
it "should allow upload with federation credentials" do
client = Aws::STS::Client.new
token = client.get_federation_token(
policy: policy.to_json,
duration_seconds: 900,
name: 'S3-User'
)
s3 = Aws::S3::Resource.new(
Aws::Credentials.new(
token.credentials.access_key_id,
token.credentials.secret_access_key,
token.credentials.session_token
)
)
bucket = s3.bucket('bucket-name')
obj = bucket.object('00a/temporary3')
obj.delete
obj.put(body:'Hello World!')
expect(obj.exists?).to be
end
end
我发现很多人无法提供资源,但我似乎遇到了相反的问题。
由于
答案 0 :(得分:1)
ruby gem不允许您从凭据创建资源。您需要执行以下操作:
client = Aws::STS::Client.new
token = client.get_federation_token(
policy: policy.to_json,
duration_seconds: 900,
name: 'S3-User23'
)
Aws.config.update(
credentials: Aws::Credentials.new(
token.credentials.access_key_id,
token.credentials.secret_access_key,
token.credentials.session_token
)
)
s3 = Aws::S3::Resource.new(
token.credentials
)