AWS cp上的AccessDenied用于使用SSE KMS加密对象的存储桶

时间:2020-04-09 01:16:47

标签: amazon-s3 aws-cli

我正在尝试使用命令从我的S3存储桶secret-bucket下载一个SSE-KMS加密对象,其中我的AWS账户ID为XXXXXXXX

aws s3 cp s3://secret-bucket/file.json ./file.json

IAM用户政策

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:*"
            ],
            "Resource": "*"
        }
    ]
}
{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

S3存储桶策略

{
    "Version": "2012-10-17",
    "Id": "access",
    "Statement": [
        {
            "Sid": "get-access",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::XXXXXXXX:root"
                ]
            },
            "Action": [
                "s3:GetObject*",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::secret-bucket/*",
                "arn:aws:s3:::secret-bucket"
            ]
        }
    ]
}

KMS密钥政策

{
    "Version": "2012-10-17",
    "Id": "bucket-key-default-1",
    "Statement": [
        {
            "Sid": "Allow administration of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXX:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        }
    ]
}

显然我在某处缺少一些权限,但似乎无法弄清楚哪一个。有什么想法吗?

0 个答案:

没有答案