我有一个用户使用Facebook登录的应用程序,然后可以将图像上传到s3存储桶并查看它们。我使用Cognito服务允许每个登录用户上传和查看所有文件。
我不知道如何在s3存储桶上设置正确的权限。这是我的尝试,但我无法保存政策并获得Statement is missing required element - Statement "NO_ID-0" is missing "Principal" element
{
"Version": "2012-10-17",
"Id": "Policy1457546546214",
"Statement": [
{
"Sid": "Stmt1475657256771436",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/*"
},
{
"Sid": "Stmt16577654572138125",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": [
"bucket-name/identity-pool-id*"
]
}
]
}
这是客户端部分,如果它有帮助:
FB.login(function (response) {
if (response.authResponse) {
AWS.config.region = 'eu-west-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'eu-west-1:xxxxxxxxxxx',
Logins: {
'graph.facebook.com': response.authResponse.accessToken
}
})
var bucket = new AWS.S3({params: {Bucket: 'name'}})
var fileChooser = document.getElementById('file-chooser')
var button = document.getElementById('upload-button')
button.addEventListener('click', function() {
var file = fileChooser.files[0]
var params = {Key: file.name, ContentType: file.type, Body: file}
bucket.upload(params, function (err, data) {
...
Cognito IAM > Roles > Cognito_myappAuth_Role:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cognito-identity:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::bucket/${cognito-identity.amazonaws.com:sub}/*",
"arn:aws:s3:::bucket/${cognito-identity.amazonaws.com:sub}"
]
}
]
}
答案 0 :(得分:1)
你签出了this blog post吗?它有一个很好的示例,说明如何设置允许用户进行S3存储桶访问的角色。删除列表桶部分,您将链接到您的身份池角色的访问策略可能如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/${cognito-identity.amazonaws.com:sub}/*"]
}
]
}
修改:
Tl;博士来自对未来读者的评论:
将策略应用于池的auth角色而不是存储桶
如果应用用例需要公共区域,请使用存储桶根目录,否则请为策略中定义的每个标识使用目录(如博客中所述)
在身份验证发生之后,角色本身才会适用。该策略只定义了所返回的凭据可以访问的内容和内容。