AWS IAM存储桶权限访问被拒绝

Question

当我对用户使用管理策略时，有人遇到过这种情况，它可以工作，但是当我使用内联策略时，它说访问被拒绝。我为IAM用户授予对存储桶的读取访问权限，因为它只能访问该存储桶。

管理政策

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": "*"
        }
    ]
}

内联政策

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": "arn:aws:s3:::mybucketname/*"
        }
    ]
}

我也尝试过

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "S3Permissions",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::mybucketname/*",
        "arn:aws:s3:::mybucketname"
      ]
    }
  ]
}

Answer 1

您的上一条策略应该可以直接访问，如以下所述：

• How can I grant a user Amazon S3 console access to only a certain bucket or folder?

对于控制台访问，还需要其他权限，如下所示：

• Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket

具体来说，该政策应为：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListAllMyBuckets"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::test"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": ["arn:aws:s3:::test/*"]
    }
  ]
}

Amazons3ReadonlyAccess具有上述所有权限，您的内联策略则没有。