我有一个S3存储桶,我想允许通过预签名URL进行条件文件访问。我正在使用Boto3生成URL,并且已经创建了一个IAM角色,并带有一个内联策略,以使其可以访问存储桶。我还更新了存储桶策略,以允许该用户的“获取”,“放置”和“删除”权限。不过,当我尝试获取生成的预签名URL时,我收到了拒绝访问错误。我是否在这里公然缺少AWS设置?我阅读的所有文档都指出我的设置已经足够。
我的IAM用户内联策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::BUCKET-NAME"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::BUCKET-NAME/*"
]
}
]
}
我的S3存储桶策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "IAM-USER-ARN"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::BUCKET-NAME"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "IAM-USER-ARN"
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::BUCKET-NAME/*"
}
]
}
用于生成URL的Boto3代码(使用具有访问权限的配置文件和IAM角色在〜/ .aws / credentials中的秘密密钥):
session = boto3.Session(profile_name='IAM-PROFILE')
s3_client = session.client(
's3',
'us-east-2',
config=Config(signature_version='s3v4'),
)
presigned_response = s3_client.generate_presigned_url(
'get_object',
Params = {'Bucket': 'BUCKET-NAME', 'Key': 'FILE-NAME.png'},
ExpiresIn = 3600
)