我需要发布预先签名的URL,以允许用户将GET和PUT文件放入特定的S3存储桶中。我创建了一个IAM用户并使用其密钥创建预签名URL,并添加了嵌入该用户的自定义策略(参见下文)。当我使用生成的网址时,我的政策出现AccessDenied错误。如果我将FullS3Access策略添加到IAM用户,则该文件可以是具有相同URL的GET或PUT,因此显然缺少我的自定义策略。这有什么问题?
以下是我使用的自定义策略无效:
{
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::MyBucket"
]
},
{
"Action": [
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteObject",
"s3:GetBucketPolicy",
"s3:GetLifecycleConfiguration",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:PutBucketPolicy",
"s3:PutLifecycleConfiguration",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::MyBucket/*"
]
}
]
}
答案 0 :(得分:3)
存储区权限与对象权限
您的政策中的以下权限应位于 Bucket 级别(arn:aws:s3:::MyBucket),而不是Bucket中的子路径(例如arn:aws:s3:::MyBucket/*):
请参阅:Specifying Permissions in a Policy
但是,这不是您无法PUT或GET文件的原因。
获取
您已分配 GetObject 权限意味着您应该能够从S3存储桶中获取对象。我通过将您的策略分配给用户,然后使用该用户的凭据访问对象并且它正常工作来测试这一点。
<强> PUT
我还使用您的政策通过网络表单上传,但工作正常。
以下是我上传的表单:
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>S3 POST Form</title>
<style type="text/css"></style></head>
<body>
<form action="https://<BUCKET-NAME>.s3.amazonaws.com/" method="post" enctype="multipart/form-data">
<input type="hidden" name="key" value="uploads/${filename}">
<input type="hidden" name="AWSAccessKeyId" value="<ACCESS-KEY>">
<input type="hidden" name="acl" value="private">
<input type="hidden" name="success_action_redirect" value="http://<BUCKET-NAME>.s3.amazonaws.com/ok.html">
<input type="hidden" name="policy" value="<ENCODED-POLICY>">
<input type="hidden" name="signature" value="<SIGNATURE>">
<input type="hidden" name="Content-Type" value="image/jpeg">
<!-- Include any additional input fields here -->
File to upload to S3:
<input name="file" type="file">
<br>
<input type="submit" value="Upload File to S3">
</form>
以下是我如何生成签名:
#!/usr/bin/python
import base64
import hmac, hashlib
policy_document = '{"expiration": "2018-01-01T00:00:00Z", "conditions": [ {"bucket": "<BUCKET-NAME>"}, ["starts-with", "$key", "uploads/"], {"acl": "private"}, {"success_action_redirect": "http://BUCKET-NAME.s3.amazonaws.com/ok.html"}, ["starts-with", "$Content-Type", ""], ["content-length-range", 0, 1048000] ] }'
AWS_SECRET_ACCESS_KEY = "<SECRET-KEY>"
policy = base64.b64encode(policy_document)
signature = base64.b64encode(hmac.new(AWS_SECRET_ACCESS_KEY, policy, hashlib.sha1).digest())
print policy
print
print signature
答案 1 :(得分:2)
这是一个适用于我预先设置的S3 URL的IAM策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::mydocs/*"
}
]
}
我想知道您的问题是否出在Resource部分。您是否一直对桶MyBucket进行GET请求?
答案 2 :(得分:1)
我还正在研究使用预签名GET和放置URL的功能,特别是通过与AWS Lambda函数关联的角色。我发现有些变化,尽管还需要允许使用加密存储桶的KMS密钥。
我碰到了指向this off-the-beaten-path article的正确方向的人。不需要为URL预签名授予存储区级权限,而只需要少数几个对象级权限即可。
简而言之,我的支持预签名URL的lambda角色策略如下所示。请注意,cloudwatch日志权限与签名无关,但对于lambda函数通常很重要:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*",
"Effect": "Allow"
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "<my-bucket-arn-expression>/*",
"Effect": "Allow"
},
{
"Sid": "KMSAccess",
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": "<my-key-arn>"
}
]
}
如果您使用内置AES加密(或不使用加密),则您的策略可以简化为:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*",
"Effect": "Allow"
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "<my-bucket-arn-expression>/*",
"Effect": "Allow"
}
]
}
答案 3 :(得分:-1)
弄乱了IAM权限大约一个星期后,此方法起作用了。我的目标是创建一个presigned_url来读取S3图像(直到最长7天才过期)。
需要KMS和S3。
可能不需要STS,但我也搞砸了“ assume_role”功能。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"kms:Decrypt",
"kms:Encrypt",
"kms:DescribeKey",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": [
"arn:aws:kms:*:<account-number>:key/*",
"arn:aws:s3:::<bucket-name>/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"sts:GetSessionToken",
"sts:DecodeAuthorizationMessage",
"sts:GetAccessKeyInfo",
"sts:GetCallerIdentity",
"sts:GetServiceBearerToken"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "sts:*",
"Resource": [
"arn:aws:iam::<account-number>:<role-arn>",
"arn:aws:iam::<account-number>:user/<aws-user-name>"
]
}
]
}
这是使用此用户凭据的功能
from botocore.config import Config
my_config = Config(
region_name = 'us-east-2',
signature_version = 's3v4',
s3={'addressing_style': 'path'},
)
client = boto3.client('s3', config=my_config,
aws_access_key_id = AWS_ACCESS_KEY_ID,
aws_secret_access_key = AWS_SECRET_ACCESS_KEY
)
presigned_url = client.generate_presigned_url(
'get_object',
Params={'Bucket': bucket_name, 'Key': key_name},
ExpiresIn=604800,
HttpMethod=None
)