IAM配置以访问S3上的jgit [英] IAM configuration to access jgit on S3

问题描述

我正在尝试创建IAM权限，以便jgit可以访问我的存储桶之一中的目录.

I am trying to create IAM permissions so jgit can access a directory in one of my buckets.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::<mybucket>/<mydir>/*"]   
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": ["arn:aws:s3:::<mybucket>/<mydir>"]
    }
  ]  
}

不幸的是，它引发了一个错误.我不确定还需要采取什么其他允许措施才能使其正常工作. (IAM的新功能).

Unfortunately it throws an error. I am not sure what other allow actions need to happen for this to work. (A little new at IAM).

Caused by: java.io.IOException: Reading of '<mydir>/packed-refs' failed: 403 Forbidden
    at org.eclipse.jgit.transport.AmazonS3.error(AmazonS3.java:519)
    at org.eclipse.jgit.transport.AmazonS3.get(AmazonS3.java:289)
    at org.eclipse.jgit.transport.TransportAmazonS3$DatabaseS3.open(TransportAmazonS3.java:284)
    at org.eclipse.jgit.transport.WalkRemoteObjectDatabase.openReader(WalkRemoteObjectDatabase.java:365)
    at org.eclipse.jgit.transport.WalkRemoteObjectDatabase.readPackedRefs(WalkRemoteObjectDatabase.java:423)
    ... 13 more
Caused by: java.io.IOException:
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>...</RequestId><HostId>...</HostId></Error>
    at org.eclipse.jgit.transport.AmazonS3.error(AmazonS3.java:538)
    ... 17 more

"403禁止访问"显然是错误，但不确定需要向IAM添加什么内容.有什么想法吗?

The 403 Forbidden is obviously the error but not sure what needs to be added to the IAM. Any ideas?

[也应该添加，我在策略模拟器中对此进行了尝试，并且似乎可以在其中运行.]

[Should have added, too, that I tried this out in the policy simulator and it appeared to work there.]

推荐答案

"403"错误可能只是表示键<mydir>/packed-refs不存在.根据 https://forums.aws.amazon.com/thread.jspa? threadID = 56531 :

The "403" error may simply mean that the key <mydir>/packed-refs doesn't exist. According to https://forums.aws.amazon.com/thread.jspa?threadID=56531:

当请求不存在的密钥并且不允许请求者列出存储桶的内容时，Amazon S3将返回AccessDenied错误.

Amazon S3 will return an AccessDenied error when a nonexistent key is requested and the requester is not allowed to list the contents of the bucket.

如果是第一次推送，则该文件夹可能不存在，我想您需要在 parent 目录上具有ListBucket特权才能获得正确的NoSuchKey响应.尝试将第一条语句更改为:

If you're pushing for the first time, that folder might not exist, and I'm guessing you would need ListBucket privileges on the parent directory to get the proper NoSuchKey response. Try changing that first statement to:

{
  "Effect": "Allow",
  "Action": ["s3:ListBucket"],
  "Resource": ["arn:aws:s3:::<mybucket>/*"]   
}

我还注意到，jgit push s3 refs/heads/master在jgit push s3 master无效时起作用.

I also noticed that jgit push s3 refs/heads/master worked when jgit push s3 master did not.

对于未来的人们:如果您要做的就是与自己的用户一起建立git repos存储桶，那么以下安全策略似乎已经足够好了:

To future folk: if all you want to do is to set up a git repos bucket with its own user, the following security policy seems to be good enough:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<bucketname>"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::<bucketname>/*"
            ]
        }
    ]
}

这篇关于IAM配置以访问S3上的jgit的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！