我按照http://code.google.com/p/s3fs/wiki/InstallationNotes
所述安装s3fs然后在我创建用户bucket_user
然后将他的accessKeyId:secretAccessKey放在/ etc / passwd-s3fs中
他们是S3我创建了一个桶super_bucket
并设定其政策:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AddCanned",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::234234234234:user/bucket_user"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::super_bucket/*"
}
]
}
然后在我的服务器上/ usr / bin / s3fs super_bucket / mnt / s3 /
并收到答案:
s3fs:CURLE_HTTP_RETURNED_ERROR
s3fs:HTTP错误代码:403
s3fs:AWS错误代码:AccessDenied
s3fs:AWS消息:访问被拒绝
正在使用的s3fs版本(s3fs --version):1.61
使用的保险丝版本(pkg-config - modversion保险丝):2.8.4
系统信息(uname -a):Linux Ubuntu-1110-oneiric-64-minimal 3.0.0-14-server#23-Ubuntu SMP Mon 11月21日20:49:05 UTC 2011 x86_64 x86_64 x86_64 GNU / Linux < / p>
Distro(cat / etc / issue):Ubuntu 11.10 \ n \ l
s3fs系统日志消息(grep s3fs / var / log / syslog):空
所以我从开始
开始 服务器上的
nano~ / .passwd-s3fs
cmd + v accessKeyId:secretAccessKey
chmod 600~ / .passwd-s3fs
存储桶策略中的
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AddPerm",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::super_bucket/*",
"arn:aws:s3:::super_bucket"
]
}
]
}
“保存”
/ usr / bin / s3fs super_bucket / mnt / s3 /
再次收到
s3fs:AWS消息:访问被拒绝
答案 0 :(得分:4)
没有人说我需要在AWS IAM中设置用户策略
答案 1 :(得分:1)
<强>更新
显然s3fs有关于IAM支持的问题,包括您正在使用的最新稳定版本1.61,请查看IAM user permissions issue了解详细信息,特别是{{3} }:
显然有人打电话给[comment 4] 这是确定之前是否存在请求的存储桶所必需的 试图登上。
现在, ListAllMyBuckets()是ListAllMyBuckets()而不是operation on the service或bucket,它们是您Resource声明的唯一实体当前目标,因此使用 ListAllMyBuckets()会被您当前的政策有效拒绝。
如object中所述,您必须添加一个额外的策略片段,以相应地满足您的 s3fs 版本的此要求:
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
或者你可以在应用comment 4中提供的补丁之后从源代码构建s3fs版本1.61,这应该是解决问题的方法(我自己没有测试补丁)。显然,更高版本可能也包含此修复程序,请参阅comment 9。
祝你好运!鉴于预期的功能(即将存储桶挂载为本地文件系统读/写),comment 11 ff可能也需要访问存储桶本身,而不仅仅是其中包含的对象,单独处理 - 尝试用以下内容替换Resource语句:
"Resource": [
"arn:aws:s3:::super_bucket",
"arn:aws:s3:::super_bucket/*",
]
第一个资源以存储桶为目标,而后者则以其中包含的对象为目标。
答案 2 :(得分:0)
我能够通过指定对存储桶本身的 ListBucket 权限和对 存储桶内容 的 Put/Get/DeleteObject 权限来实现此目的。我通过 this CloudAcademy guide 中的 shell 脚本跟踪 this repo,该脚本试图很好地打包它。这是工作方针:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::super_bucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::super_bucket/*"
]
}
]
}
在以这种方式定义它之前,我只对存储桶而不是它的内容有很多权限,虽然我能够登录到我的 FTP 实例,但当我尝试 put test.txt 时,我得到了一个553 Could not create file. 消息。
在失败的 put 尝试期间,我在日志中看到了这一点。这是此调试命令的调试输出:
sudo /usr/local/bin/s3fs super_bucket \
-o use_cache=/tmp,iam_role="super_ftp_user",allow_other /home/super_ftp_user/ftp/files \
-o dbglevel=info -f \
-o curldbg \
-o url="https://s3-us-east-1.amazonaws.com" \
-o nonempty
输出:
[CURL DBG] * Connection #8 to host super_bucket.s3-us-east-1.amazonaws.com left intact
[INF] curl.cpp:RequestPerform(2267): HTTP response code 200
[INF] s3fs.cpp:create_file_object(918): [path=/test.txt][mode=100644]
[INF] curl.cpp:PutRequest(3127): [tpath=/test.txt]
[INF] curl.cpp:PutRequest(3145): create zero byte file object.
[INF] curl_util.cpp:prepare_url(250): URL is https://s3-us-east-1.amazonaws.com/super_bucket/test.txt
[INF] curl_util.cpp:prepare_url(283): URL changed is https://super_bucket.s3-us-east-1.amazonaws.com/test.txt
[INF] curl.cpp:PutRequest(3225): uploading... [path=/test.txt][fd=-1][size=0]
[INF] curl.cpp:insertV4Headers(2598): computing signature [PUT] [/test.txt] [] []
[INF] curl_util.cpp:url_to_host(327): url is https://s3-us-east-1.amazonaws.com
[CURL DBG] * Found bundle for host super_bucket.s3-us-east-1.amazonaws.com: 0x7fa0d00d3c60 [can pipeline]
[CURL DBG] * Re-using existing connection! (#8) with host super_bucket.s3-us-east-1.amazonaws.com
[CURL DBG] * Connected to super_bucket.s3-us-east-1.amazonaws.com (123.456.789.012) port 443 (#8)
[CURL DBG] > PUT /test.txt HTTP/1.1
[CURL DBG] > Host: super_bucket.s3-us-east-1.amazonaws.com
[CURL DBG] > User-Agent: s3fs/1.88 (commit hash ***; OpenSSL)
[CURL DBG] > Accept: */*
[CURL DBG] > Authorization: xxxxxxx
[CURL DBG] > Content-Type: application/octet-stream
...
[CURL DBG] > Content-Length: 0
[CURL DBG] >
[CURL DBG] < HTTP/1.1 403 Forbidden
[CURL DBG] < x-amz-request-id: 1234567890
[CURL DBG] < x-amz-id-2: ******
[CURL DBG] < Content-Type: application/xml
[CURL DBG] < Transfer-Encoding: chunked
[CURL DBG] < Date: Tue, 19 Jan 2021 04:30:15 GMT
[CURL DBG] < Server: AmazonS3
[CURL DBG] * HTTP error before end of send, keep sending
[CURL DBG] <
[CURL DBG] * Connection #8 to host super_bucket.s3-us-east-1.amazonaws.com left intact
[ERR] curl.cpp:RequestPerform(2287): HTTP response code 403, returning EPERM. Body Text: <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>1234567890</RequestId><HostId>***</HostId></Error>
[INF] cache.cpp:DelStat(578): delete stat cache entry[path=/test.txt]