s3桶政策帖子

时间:2017-03-06 19:23:59

标签: amazon-web-services amazon-s3

我正试图向我的帖子发帖,我对formdata的策略应该如何与我的存储桶政策相匹配感到有些困惑。

 @time = Time.now.utc
 @time_policy = @time.strftime('%Y%m%dT000000Z')
 @date_stamp = @time.strftime('%Y%m%d')

 ret = {"expiration" => 1.day.from_now.utc.xmlschema,
        "conditions" =>  [
            {"bucket" => Rails.application.secrets.aws_bucket},
            {"x-amz-credential": "#{Rails.application.secrets.aws_access_key_id}/#{@date_stamp}/us-west-2/s3/aws4_request"},
            {"x-amz-algorithm": "AWS4-HMAC-SHA256"},
            {"x-amz-date": @time_policy },
        ]
        }

  @policy = Base64.encode64(ret.to_json).gsub(/\n|\r/, '')

Bucket Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow Get",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::example-development/*"
        },
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789:user/example"
            },
            "Action": "s3:*",
            "Resource": ["arn:aws:s3:::example-development/*","arn:aws:s3:::example-development"]
        }
    ]
}

这些匹配吗?我没有偶然发现任何文件显示两者的良好并排比较。

1 个答案:

答案 0 :(得分:1)

条件与政策无关。

条件强制执行上传的特定属性。例如,{ "{acl": "public-read" }强制执行上传必须将ACL设置为public-read的规则。如果上传未设置该值,则上传将被拒绝。

只要有人试图访问Amazon S3,就会强制执行存储桶策略。因此,"s3:x-amz-acl": "public-read"表示只要该值为true,人们就可以访问该存储桶。放入存储桶策略是一件非常奇怪的事情,因为该属性仅与PutObject操作相关。从S3读取对象时,它不适用。

使用PutObject了解Specifying Conditions in a Policy的示例。