我的AWS政策有什么问题? [英] What is Wrong With My AWS Policy?

问题描述

我正在尝试向程序化IAM用户授予对单个存储桶的访问权限.

I am trying to give a programmatic IAM user access to a single bucket.

我设置了以下策略并将其附加到用户:

I setup the following policy and attached it to the user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket/*"
            ]
        }
    ]
}

尝试以编程方式上传文件时，我得到了403.

Trying to programatically upload a file I got a 403.

我从这里获得了这项政策:

I got this policy from here:

制定IAM策略:如何授予对Amazon S3存储桶的访问权限

我通过添加一个AWS托管策略AmazonS3FullAccess验证了其他所有功能，然后上传成功.但是我不想给该用户完全访问权限.

I verified that everything else is working by then adding an AWS managed policy, AmazonS3FullAccess, after which my upload succeeded. But I would rather not give this user full access.

此用户没有附加其他政策.

There are no other policies attached to this user.

推荐答案

您可以尝试使用此策略来完全访问特定存储桶:

You can try this policy to give full access to a particular bucket:

{
    "Version": "2012-10-17",
    "Statement": [{
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<BUCKETNAME>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        }
    ]
}

由于要提供Put，Get，Delete，因此您最好还提供对特定存储桶的完全访问权限.

Since you are providing Put, Get, Delete, You might as well provide full access to the particular bucket.

这篇关于我的AWS政策有什么问题?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！