如何允许认知身份池下的用户“列出”和“获取” S3存储桶对象?

时间:2018-08-08 18:40:41

标签: amazon-web-services amazon-s3

我希望仅在认知身份池下的用户能够“列出”和“获取”整个S3存储桶对象。我不确定“存储桶策略”应该是什么样子。目前,我拥有的是:

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Action": [
            "s3:GetObject"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::<My Bucket Name>/*",
        "Principal": {
            "Federated": "cognito-identity.amazonaws.com"
        }
        "Condition": {
            "StringEquals": {
                "cognito-identity.amazonaws.com:aud": "<Identity Pool ID>"
            },
            "ForAnyValue:StringLike": {
                "cognito-identity.amazonaws.com:amr": "authenticated"
            }
        }
    },
    {
        "Action": [
            "s3:ListBucket"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::<My Bucket Name>",
        "Principal": {
            "Federated": "cognito-identity.amazonaws.com"
        }
        "Condition": {
            "StringEquals": {
                "cognito-identity.amazonaws.com:aud": "<Identity Pool ID>"
            },
            "ForAnyValue:StringLike": {
                "cognito-identity.amazonaws.com:amr": "authenticated"
            }
        }
    }
]
}

当我尝试在Android应用程序中使用以下代码列出s3存储桶对象时,会抛出com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied

ListObjectsRequest listObjectsRequest =
            new ListObjectsRequest().withBucketName(bucketName);

ObjectListing objectListing = amazonS3Client.listObjects(listObjectsRequest);

基本上,我想要的是只有经过身份验证的用户(属于身份池)才可以访问我的整个S3存储桶(共享资源),但不希望将该存储桶公开。

有人可以帮我解决这个问题,或者甚至使S3像这样工作吗?

请记住,用户已登录并能够访问其他公共存储桶

0 个答案:

没有答案
相关问题
最新问题