使用boto3验证不使用GET或PUT的S3凭据 [英] Verifying S3 credentials w/o GET or PUT using boto3
问题描述
是否有一种方法可以验证给定的S3凭据集是否有权访问特定存储段,而无需执行某种类型的显式PUT或GET?
Is there a way to verify a given set of S3 credentials has access to a specific bucket without doing an explicit PUT or GET of some sort?
实例化s3.Client,s3.Resource或s3.Bucket对象似乎根本无法验证凭据,更不用说存储桶访问了.
Instantiating an s3.Client, s3.Resource or s3.Bucket object doesn't seem to verify credentials at all, let alone bucket access.
boto3 1.4.7. python 2.7.13.
boto3 1.4.7. python 2.7.13.
我们拥有自动化和编排的功能,可以自动创建存储桶,我想提供一个可以验证用户访问密钥和机密信息的文件.自创建桶以来,我就知道该桶已经存在.桶是空的.
We have automation and orchestration that automates bucket creation and I want to include a piece that verifies a user's access key and secret. I know the bucket exists at this point since I created it. The bucket is empty.
我想验证用户是否有权执行PUT操作.
I want to verify a user has access w/o doing a PUT operation.
感谢您的帮助.
*更新*
最后,我使用了s3.Client对象:
I ended up doing this with an s3.Client object:
objects = client.list_objects(Bucket=cfg['bucket'])
由于铲斗是空的,因此这是一种轻便的操作,而且大部分情况下都是单缸的. (包装在try块中)
Since the bucket is empty this is a lightweight operation and a one-liner for the most part. (wrapped in a try block)
推荐答案
Yes, you can use IAM policy simulation for that. Here's an example:
import boto3
iam = boto3.client('iam')
sts = boto3.client('sts')
# Get the arn represented by the currently configured credentials
arn = sts.get_caller_identity()['Arn']
# Create an arn representing the objects in a bucket
bucket_objects_arn = 'arn:aws:s3:::%s/*' % 'my-test-bucket'
# Run the policy simulation for the basic s3 operations
results = iam.simulate_principal_policy(
PolicySourceArn=arn,
ResourceArns=[bucket_objects_arn],
ActionNames=['s3:PutObject', 's3:GetObject', 's3:DeleteObject']
)
for result in results['EvaluationResults']:
print("%s - %s" % (result['EvalActionName'], result['EvalDecision']))
您可以在此处找到所有s3操作.
一个需要注意的是,IAM最终是一致的,因此,如果您要动态创建用户,您可能仍需要稍等片刻,以使更改得以传播.
One caveat to this is that IAM is eventually consistent, so if you're creating users on the fly you still might have to wait a bit for the changes to propagate.
这篇关于使用boto3验证不使用GET或PUT的S3凭据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
