如何在不列出存储桶的情况下将文件上传到Amazon S3

时间:2017-07-05 09:15:31

标签: amazon-web-services amazon-s3

我使用带有S3 Bucket策略的Angular前端将文件上传到S3:

didCompleteWithError

但如果我将上述政策改为

{
  "Id": "Policy1499245520254",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1499245493674",
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::test-dev/*",
                "arn:aws:s3:::test-dev"],
      "Principal": "*"
    }
  ]
}

我添加的地方:

{
  "Id": "Policy1499245520254",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1499245493674",
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::test-dev/*",
                "arn:aws:s3:::test-dev"],
      "Principal": "*"
    },
    {
      "Sid": "Stmt1499245517941",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::test-dev",
      "Principal": "*"
    }
  ]
}

添加存储桶列表拒绝,上传失败。如何在不上传存储桶的情况下上传文件。

2 个答案:

答案 0 :(得分:1)

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:GetObjectACL",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectTagging",
                "s3:PutObjectVersionAcl",
                "s3:PutObjectVersionTagging"
            ],
            "Resource": [
                "arn:aws:s3:::test-dev",
                "arn:aws:s3:::test-dev/*"
            ]
        }
    ]
}

我通过仅允许这些权限解决了这个问题,显然在此不需要存储列表并解决问题。

答案 1 :(得分:0)

这是因为s3:ListBucket操作涵盖了GET Bucket (List Objects)HEAD Bucket操作。 HEAD Bucket 操作确定存储桶是否存在并且您有权访问它,这似乎是在对对象的任何操作(例如s3:PutObject操作)之前调用的。请参阅Specifying Permissions in a Policy

相关问题
最新问题