How to create a bucket with Public Read Access?

时间:2019-01-18 18:19:14

标签: amazon-s3 serverless

I´d like to enable Public Read-Access on all items in my Bucket that are in the "public" folder in the serverless.yml file.

Currently this is definition code i use to declare my bucket. Its a bit of copy and paste from one of the serverless-stack examples.

Resources:
  AttachmentsBucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: PublicRead
      # Set the CORS policy
      BucketName: range-picker-bucket-${self:custom.stage}
      CorsConfiguration:
        CorsRules:
          -
            AllowedOrigins:
              - '*'
            AllowedHeaders:
              - '*'
            AllowedMethods:
              - GET
              - PUT
              - POST
              - DELETE
              - HEAD
            MaxAge: 3000

# Print out the name of the bucket that is created
Outputs:
  AttachmentsBucketName:
    Value:
      Ref: AttachmentsBucket

Now when i try to use a url for a file, it returns access denied. I manually have to set the public read permission for every file by hand in the aws-s3 web interface.

What am i doing wrong?

3 个答案:

答案 0 :(得分:1)

接受的答案对我不起作用。 CloudFormation 未能更新资源,错误为:

Action does not apply to any resource(s) in statement (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy; Request ID: <...>; S3 Extended Request ID: <...>; Proxy: null)

资源定义中似乎缺少通配符。对我有用的完整片段:

PublicBucket:
  Type: AWS::S3::Bucket
  Properties:
    BucketName: 'public-bucket-name'

PublicBucketPolicy:
  Type: AWS::S3::BucketPolicy
  Properties:
    Bucket: !Ref PublicBucket
    PolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Effect: Allow
          Action:
            - 's3:GetObject'
          Resource:
            - !Join ['/', [!GetAtt [PublicBucket, Arn], '*']]
          Principal: '*'

答案 1 :(得分:0)

您需要attach a bucket policy,而不是在存储桶上使用CorsConfiguration。请尝试以下操作:

Resources:
  AttachmentsBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: range-picker-bucket-${self:custom.stage}

  AttachmentsBucketAllowPublicReadPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref AttachmentsBucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement: 
          - Effect: Allow
            Action: 
              - "s3:GetObject"
            Resource: 
              - !Join ['/', [!Ref AttachmentsBucket, 'public']]
            Principal: "*"

答案 2 :(得分:0)

正如其他人所说,您需要实施这样的 Bucket策略

{ "Version": "2012-10-17", "Statement": [ { "Sid": "PublicReadForGetBucketObjects", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::{NAME_OF_YOUR_BUCKET_HERE}/*" } ] }

这可以在AWS控制台中选择 Bucket ,然后依次选择 Permissions Bucket Policy 。看起来@Milan C.指示如何在 serverless.yml 文件中声明它。