我正在尝试从我的s3存储桶中读取现有文件,但我一直收到“拒绝访问”,没有任何解释或说明如何处理它。 Here是我正在使用的代码:
'use strict'
var AWS = require('aws-sdk')
const options = {
apiVersion: '2006-03-01',
params: {
Bucket: process.env['IMAGINATOR_BUCKET']
},
accessKeyId: process.env['IMAGINATOR_AWS_ACCESS_KEY_ID'],
secretAccessKey: process.env['IMAGINATOR_AWS_SECRET_ACCESS_KEY'],
signatureVersion: 'v4'
}
console.log('options', options)
var s3 = new AWS.S3(options)
module.exports = exports = {
get (name, cb) {
const params = {
Key: name + '.json'
}
console.log('get params', params)
return s3.getObject(params, cb)
},
set (name, body, cb) {
const params = {
Key: name + '.json',
Body: body
}
console.log('set params', params)
return s3.putObject(params, cb)
}
}
这是我在使用get方法并记录回调中提供的错误时输出的内容(敏感信息被删除):
options { apiVersion: '2006-03-01',
params: { Bucket: CENSORED_BUT_CORRECT },
accessKeyId: CENSORED_BUT_CORRECT,
secretAccessKey: CENSORED_BUT_CORRECT,
signatureVersion: 'v4' }
get params { Key: 'whitelist.json' }
err { [AccessDenied: Access Denied]
message: 'Access Denied',
code: 'AccessDenied',
region: null,
time: Wed Sep 21 2016 11:17:50 GMT-0400 (EDT),
requestId: CENSORED,
extendedRequestId: CENSORED,
cfId: undefined,
statusCode: 403,
retryable: false,
retryDelay: 20.084538962692022 }
/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/request.js:31
throw err;
^
AccessDenied: Access Denied
at Request.extractError (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/services/s3.js:538:35)
at Request.callListeners (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
at Request.emit (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
at Request.emit (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/request.js:668:14)
at Request.transition (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/request.js:670:12)
at Request.callListeners (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
现在我不知道该怎么做因为我认为我根据文档正确地做事,但是它不起作用并且错误消息没有说明为什么我的访问被拒绝...任何想法是什么下一步应该是让这个工作吗?
答案 0 :(得分:9)
问题是我的新IAM用户没有附加策略。我为其分配了AmazonS3FullAccess政策,现在可以使用。
正如评论中所指出的,更严格的政策会更安全
答案 1 :(得分:4)
不需要FullAccess!
{
“版本”:“2012-10-17”,
“声明”:[
{
“Sid”:“VisualEditor0”,
“效果”:“允许”,
“行动”:[
“S3:将*”,
“S3:获取*”,
“S3:列表*”,
“S3:删除*”
],
“资源”:[
“阿尔恩:AWS:S3 :::桶/ *”,
“阿尔恩:AWS:S3 ::: bicket”
]
},
{
“Sid”:“VisualEditor1”,
“效果”:“允许”,
“行动”:“s3:ListAllMyBuckets”,
“资源”:“*”
}
]
}
答案 2 :(得分:2)
Steps
1: click on Users in IAM (in AWS)
2: click on permission tab
3: click on add permission then click on add group
4: search s3fullaccess in searchbar
5: select AmazonS3FullAccess and type any group name then click on create
6: perform action through your API again
7: done
答案 3 :(得分:1)
当您尝试读取的对象不存在时,会发生此错误。
请验证密钥/存储桶是否正确以及是否在api方法上发送了正确的参数。
当我用存储桶参数替换键参数时遇到了这个问题,反之亦然。
答案 4 :(得分:1)
"code":"AccessDenied","region":null,"time":"2020-05-24T05:20:56.219Z","requestId": ...
在“权限”标签的桶策略编辑器的s3 aws控制台中应用了以下策略,以摆脱上述错误,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<IAM-user-ID>:user/testuser"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetBucketLocation",
"s3:Get*",
"s3:Put*"
],
"Resource": "arn:aws:s3:::srcbucket"
}
]
}
答案 5 :(得分:0)
如果您尝试设置ACL to "public-read",但存储桶阻止了公共访问,也可能发生这种情况。例如,如果您打算将静态资产上传到配置错误的S3存储桶中。您可以在存储桶设置中对其进行更改。
答案 6 :(得分:0)
就我而言,我更新了 .env 文件中保存 s3 存储桶名称的变量,但没有更新程序中的变量,因此程序接收存储桶名称变量的 undefined 值导致我的程序抛出 access denied 错误。
因此,如果您将存储桶名称存储在变量中,请确保使用正确的存储桶名称或正确的变量名称