我正在尝试使用命令从我的S3存储桶secret-bucket
下载一个SSE-KMS加密对象,其中我的AWS账户ID为XXXXXXXX
aws s3 cp s3://secret-bucket/file.json ./file.json
IAM用户政策
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": "*"
}
]
}
{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
S3存储桶策略
{
"Version": "2012-10-17",
"Id": "access",
"Statement": [
{
"Sid": "get-access",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::XXXXXXXX:root"
]
},
"Action": [
"s3:GetObject*",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::secret-bucket/*",
"arn:aws:s3:::secret-bucket"
]
}
]
}
KMS密钥政策
{
"Version": "2012-10-17",
"Id": "bucket-key-default-1",
"Statement": [
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXX:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
显然我在某处缺少一些权限,但似乎无法弄清楚哪一个。有什么想法吗?