我有S3,该S3限制了提供私人内容的政策。只有Cloudfront Origin Access Identity可以访问。但是,应该允许其他帐户上载新对象,以便客户端可以获取新资产。对于这种情况应制定什么样的政策?
目前我的政策是这样
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity SomeID12334"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
答案 0 :(得分:0)
您可以在存储桶策略中添加多个语句来处理权限。 从另一个帐户提供角色ARN,以提供对存储桶执行特定操作的访问权限。
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity SomeID12334"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Sid": "Stmt1570159952662",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<accountno>:role/rolename"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket"
}