我的AWS政策有什么问题? [英] What is Wrong With My AWS Policy?
问题描述
我正在尝试向程序化IAM用户授予对单个存储桶的访问权限.
I am trying to give a programmatic IAM user access to a single bucket.
我设置了以下策略并将其附加到用户:
I setup the following policy and attached it to the user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mybucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*"
]
}
]
}
尝试以编程方式上传文件时,我得到了403.
Trying to programatically upload a file I got a 403.
我从这里获得了这项政策:
I got this policy from here:
制定IAM策略:如何授予对Amazon S3存储桶的访问权限
我通过添加一个AWS托管策略AmazonS3FullAccess验证了其他所有功能,然后上传成功.但是我不想给该用户完全访问权限.
I verified that everything else is working by then adding an AWS managed policy, AmazonS3FullAccess, after which my upload succeeded. But I would rather not give this user full access.
此用户没有附加其他政策.
There are no other policies attached to this user.
推荐答案
您可以尝试使用此策略来完全访问特定存储桶:
You can try this policy to give full access to a particular bucket:
{
"Version": "2012-10-17",
"Statement": [{
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<BUCKETNAME>/*"
]
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
}
由于要提供Put
,Get
,Delete
,因此您最好还提供对特定存储桶的完全访问权限.
Since you are providing Put
, Get
, Delete
, You might as well provide full access to the particular bucket.
这篇关于我的AWS政策有什么问题?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!