我有一组用户:user1和user2。理想情况下,他们应该有权在自己的存储桶中进行读取和写入。
我想给他们控制台访问权限,以便他们可以通过拖放登录和上传S3中的数据。
因此,我希望一个用户能够查看其他用户的存储桶。
我正在使用以下IAM策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::user1_bucket",
"Condition": {}
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Resource": "arn:aws:s3:::user1_bucket/*",
"Condition": {}
}
]
}
但是它不会为用户显示任何存储桶。用户只能看到拒绝访问。 我试图在策略中添加主体:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::9xxxxxxxxxx:user/user1"},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::user1_bucket"
]
}
]
}
这给出了一个错误。
This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies
我该怎么办?
答案 0 :(得分:0)
有两种方法可以执行此操作。
存储桶策略:您可以通过附加策略来选择谁可以访问和控制所述存储桶。您的案例示例:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "bucketAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS-account-ID:user/user-name"
},
"Action": [
"s3:GetObject",
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Resource": [
"arn:aws:s3:::examplebucket/*"
]
}
]
}
来源:Bucket Policy Examples - Amazon Simple Storage Service
或者您可以通过角色策略授予访问权限,我认为这样更好。您几乎拥有了它,但是最后一团糟。您的政策应如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::examplebucket"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::examplebucket/"
}
]
}
来源:User Policy Examples - Amazon Simple Storage Service
我希望这会有所帮助。
答案 1 :(得分:0)
您的要求似乎是:
带有列表桶
第一个要求可以通过以下政策来满足:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AccessThisBucket",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
},
{
"Sid": "ListAllBucketForS3Console",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
}
这允许他们访问其特定存储桶,但也允许他们列出所有存储桶名称。这是Amazon S3管理控制台的要求,因为它要做的第一件事就是列出所有存储桶。
没有列表存储桶
但是,由于您不想让这些用户列出所有存储桶的名称,因此可以使用以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
这使他们可以完全访问自己的存储桶,但是他们无法列出其他存储桶的名称。
要在管理控制台中使用此功能,他们将需要使用以下网址直接直接跳转到其存储桶:
https://console.aws.amazon.com/s3/buckets/my-bucket
这将允许他们访问和使用其存储桶。
他们还将能够使用AWS Command-Line Interface (CLI)命令,例如:
aws s3 ls s3://my-bucket
aws s3 cp foo.txt s3://my-bucket/foo.txt
底线::要在未经许可的情况下使用管理控制台列出所有存储桶,他们将需要使用直接跳转到其存储桶的URL。