S3存储桶的ListObjectsV2操作的AccessDenied

时间:2019-05-27 13:45:36

标签: amazon-s3 continuous-integration gitlab-ci

在GitlabCi期间,我得到了: “严重错误:调用ListObjectsV2操作时发生错误(AccessDenied):访问被拒绝”

我的存储桶策略:

{
"Version": "2008-10-17",
"Statement": [
    {
        "Sid": "AllowPublicRead",
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::BUCKET-NAME/*"
    }
]

}

在gitlabCI设置中设置:

  • AWS_ACCESS_KEY_ID:您的AWS-ACCESS-KEY-ID
  • AWS_SECRET_ACCESS_KEY:您的AWS-SECRET-ACCESS-KEY
  • S3_BUCKET_NAME:您的S3-BUCKET_NAME
  • DISTRIBUTION_ID:CLOUDFRONT-DISTRIBUTION-ID

我的.gitlab-ci.yml 

image: docker:latest

stages:
  - build
  - deploy

build:
  stage: build
  image: node:8.11.3
script:
  - export API_URL="d144iew37xsh40.cloudfront.net"
  - npm install
  - npm run build
  - echo "BUILD SUCCESSFULLY"
artifacts:
   paths:
    - public/
expire_in: 20 mins
environment:
name: production
only:
   - master
deploy:
  stage: deploy
  image: python:3.5
dependencies:
   - build
script:
  - export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
  - export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
  - export S3_BUCKET_NAME=$S3_BUCKET_NAME
  - export DISTRIBUTION_ID=$DISTRIBUTION_ID
  - pip install awscli --upgrade --user
  - export PATH=~/.local/bin:$PATH
  - aws s3 sync --acl public-read --delete public $S3_BUCKET_NAME
  - aws cloudfront create-invalidation --distribution-id 
$DISTRIBUTION_ID --paths '/*'
  - echo "DEPLOYED SUCCESSFULLY"

environment:
   name: production
only:
  - master

4 个答案:

答案 0 :(得分:6)

我不确定接受的答案是否实际上是可接受的,因为它只是允许对存储区执行所有操作。 Sid也会误导...;-)

This AWS article提到了aws s3 sync的必需权限。

这是相应策略的样子:

{
"Version": "version_id",
"Statement": [
    {
        "Sid": "AllowBucketSync",
        "Effect": "Allow",
        "Action": [
            "s3:GetObject", 
            "s3:PutObject", 
            "s3:ListBucket"
        ],
        "Resource": [
            "arn:aws:s3:::BUCKET-NAME",
            "arn:aws:s3:::BUCKET-NAME/*"
        ]
    }
] }

答案 1 :(得分:1)

尝试将您的存储桶策略更新为:

{
"Version": "version_id",
"Statement": [
    {
        "Sid": "AllowPublicRead",
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::BUCKET-NAME",
            "arn:aws:s3:::BUCKET-NAME/*"
        ]
    }
] }

我希望你理解这是非常不安全的。

答案 2 :(得分:1)

我也收到了“AccessDenied”错误,即使政策是正确的。尽管我只配置了一个(默认)凭据,但我尝试了 mrbranden 的解决方案。瞧,

$ aws s3 ls <bucket> --profile=default

成功了!

我的 aws --version 是 aws-cli/1.18.69 Python/3.8.5 Linux/5.4.0-1035-aws botocore/1.16.19

答案 3 :(得分:0)

我最近有这个问题。无论做什么,无论提供什么权限,在运行aws s3 ls <bucket>

时,我都会不断收到“调用ListObjectsV2操作时发生错误(AccessDenied):访问被拒绝”的信息。

我忘记了在环境中配置了多个AWS配置文件。 aws命令使用的是默认配置文件,该配置文件具有一组不同的访问键。我必须为命令指定--profile标志:

aws s3 ls <bucket> --profile <correct profile>

行得通。这是一种利基的情况,但也许会帮助某人。

相关问题
最新问题