亚马逊S3文件'访问被拒绝'跨账户中的例外情况

时间:2015-10-20 12:04:27

标签: amazon-web-services amazon-s3

我有2个AWS账户。帐户A有S3桶' BUCKET'其中我使用Java api放置文件。我配置了我的' BUCKET'允许跨帐户文件发布的策略。 但是,当我尝试从帐户A打开此文件时,它会显示AccessDenied使用hostId和requestId拒绝访问。

此文件使用java api通过帐户B发布,此文件与通过api发布的文件大小相同。我尝试更改文件大小,并在AWS S3控制台上显示新大小。 这是我的保管政策:

    {
"Version": "2008-10-17",
"Id": "Policy1357935677554",
"Statement": [
    {
        "Sid": "Stmt1357935647218",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::ACCOUNTB:user/accountb-user"
        },
        "Action": "s3:ListBucket",
        "Resource": "arn:aws:s3:::bucket-name"
    },
    {
        "Sid": "Stmt1357935676138",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::ACCOUNTB:user/accountb-user"
        },
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::bucket-name/*"
    },
    {
        "Sid": "Stmt1357935676138",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::ACCOUNTB:user/accountb-user"
        },
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::bucket-name/*"
    },
    {
        "Sid": "Stmt1357935647218",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::ACCOUNTA:user/accounta-user"
        },
        "Action": "s3:ListBucket",
        "Resource": "arn:aws:s3:::bucket-name"
    },
    {
        "Sid": "Stmt1357935676138",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::ACCOUNTA:user/accounta-user"
        },
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::bucket-name/*"
    },
    {
        "Sid": "Stmt1357935676138",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::ACCOUNTA:root"
        },
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::bucket-name/*"
    }
]

}

问题是当我尝试从帐户A下载/打开此文件时,我无法打开它。

1 个答案:

答案 0 :(得分:2)

问题在于,默认情况下,当AWS(cli或SDK)上传文件时,它仅通过s3 ACL授予对上传者的访问权限。

在这种情况下,要允许所有者读取上传的文件,上传者必须在上传期间明确授予对存储桶所有者的访问权限。例如:

  • 使用aws CLI(文档here):aws s3api put-object --bucket <bucketname> --key <filename> --acl bucket-owner-full-control
  • 使用nodejs API(文档here):您必须将params.ACL方法的AWS.S3.upload属性设置为"bucket-owner-full-control"

同时,您还可以确保存储桶拥有者对存储桶策略具有完全控制权(附加文档here):

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Grant Owner Full control dev", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ACCOUNTB:root" }, "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::bucket-name/*" ], "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] }

相关问题
最新问题