我正试图向我的帖子发帖,我对formdata的策略应该如何与我的存储桶政策相匹配感到有些困惑。
@time = Time.now.utc
@time_policy = @time.strftime('%Y%m%dT000000Z')
@date_stamp = @time.strftime('%Y%m%d')
ret = {"expiration" => 1.day.from_now.utc.xmlschema,
"conditions" => [
{"bucket" => Rails.application.secrets.aws_bucket},
{"x-amz-credential": "#{Rails.application.secrets.aws_access_key_id}/#{@date_stamp}/us-west-2/s3/aws4_request"},
{"x-amz-algorithm": "AWS4-HMAC-SHA256"},
{"x-amz-date": @time_policy },
]
}
@policy = Base64.encode64(ret.to_json).gsub(/\n|\r/, '')
Bucket Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow Get",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-development/*"
},
{
"Sid": "AddPerm",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:user/example"
},
"Action": "s3:*",
"Resource": ["arn:aws:s3:::example-development/*","arn:aws:s3:::example-development"]
}
]
}
这些匹配吗?我没有偶然发现任何文件显示两者的良好并排比较。
答案 0 :(得分:1)
条件与政策无关。
条件强制执行上传的特定属性。例如,{ "{acl": "public-read" }
强制执行上传必须将ACL设置为public-read
的规则。如果上传未设置该值,则上传将被拒绝。
只要有人试图访问Amazon S3,就会强制执行存储桶策略。因此,"s3:x-amz-acl": "public-read"
表示只要该值为true,人们就可以访问该存储桶。放入存储桶策略是一件非常奇怪的事情,因为该属性仅与PutObject
操作相关。从S3读取对象时,它不适用。
使用PutObject
了解Specifying Conditions in a Policy的示例。