即使拥有存储桶并拥有所有权限,我仍然收到错误“访问被拒绝”

时间:2019-05-01 01:20:32

标签: json amazon-web-services amazon-s3

当我遇到“访问被拒绝”错误时,我试图向匿名用户授予只读访问权限,即使这是我的工作桶且我拥有所有权限。

我尝试编辑主体以使其看起来像这样:

FILES_OLDER_THAN_DAYS=30    
files=()
    while IFS=  read -r -d $'\0'; do
        files+=("$REPLY")
    done < <(find  $LOGS_PATH/ -maxdepth 1 -mtime +$FILES_OLDER_THAN_DAYS -type f \( -name "gums-app.log_*.log" \) -print0)

    name=$(date --date="-$FILES_OLDER_THAN_DAYS day" '+%Y-%m-%d_%H:%M:%S')

    if (( ${#files[@]} )); then
      echo "[Time: $(date)] Making tar of GUMS log files older than $FILES_OLDER_THAN_DAYS days." >> $SCRIPT_LOG
      tar cfz "$LOGS_PATH/zippedLogs/backup_$name.tar.gz" "${files[@]}";
      echo "[Time: $(date)] Removing GUMS log files older than $FILES_OLDER_THAN_DAYS days from local" >> $SCRIPT_LOG
      find $LOGS_PATH/ -maxdepth 1 -mtime +$FILES_OLDER_THAN_DAYS -type f \( -name "*gums-app.log_*.log" \) -exec rm -f {} \;

      set_month_folder_id $LOG_GDRIVE_FOLDER_ID
      echo $target_folder_id >> $SCRIPT_LOG
      echo "[Time: $(date)] Uploading tar of log file to Google Drive" >> $SCRIPT_LOG
      $MY_PATH/gdrive upload $LOGS_PATH/zippedLogs/backup_$name.tar.gz -p $target_folder_id >> $SCRIPT_LOG
      echo "[Time: $(date)] Removing local tar file" >> $SCRIPT_LOG
      rm -rf $LOGS_PATH/zippedLogs/*;

    else
      echo "[Time: $(date)] No GUMS log found older than $FILES_OLDER_THAN_DAYS days" >> $SCRIPT_LOG
    fi

但是我得到一个不完整的json错误。

这是亚马逊使用的示例,我已对其进行编辑以迎合我的需求:

"Principal": {
        "AWS": [
            "arn:aws:iam::123123123123:user/myuid"
        ]

这应该使存储桶公开,以便所有人都可以查看我的网站,但是由于访问被拒绝,这不会发生。

2 个答案:

答案 0 :(得分:1)

如果您希望授予对特定IAM用户的访问权限,则应向该IAM用户添加策略(不使用存储桶策略)。

如果您希望授予“任何人”访问权限(不进行身份验证),则应创建一个 Bucket Policy (桶策略),例如:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::examplebucket/*"]
    }
  ]
}

另外,请确保关闭Amazon S3 Block Public Access,否则在尝试访问内容时会收到Access Denied错误。

答案 1 :(得分:0)

您的IAM策略应将s3:GetBucketPolicy and s3:PutBucketPolicy设置为对IAM帐户的权限操作。

您的政策应如下所示:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ExampleStmt",
      "Action": [
        "s3:GetBucketPolicy",
        "s3:PutBucketPolicy"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::awsexamplebucket/*"
    }
  ]
}

您可以在此处查看问题排查文档:https://aws.amazon.com/premiumsupport/knowledge-center/s3-access-denied-bucket-policy/

相关问题
最新问题