写一个IAM策略和CORS配置的Amazon S3 [英] Writing an IAM policy and CORS configuration for Amazon S3

问题描述

我很新的这一切，但已经能够得到一个头像/图片上传在我的Rails应用程序的工作。用户可以上传一个新头像到我的S3存储和头像显示在Web应用程序中。

为此，我不得不授予AmazonS3FullAccess政策给用户。这似乎是有点过分，因为从应用程序的用户只需要写入（上传自己的头像），阅读（显示在网页中的化身）的权限。

您会同意，因此有更好的编写自定义的政策，而不是使用AmazonS3FullAccess？ 如果是这样，我已经试过了政策code（从<一个通过href="http://blogs.aws.amazon.com/security/post/Tx3VRSWZ6B3SHAV/Writing-IAM-Policies-How-to-grant-access-to-an-Amazon-S3-bucket"相对=nofollow>这里）以下，但这并没有试图上传头像图像时工作（403 Forbidden错误）。任何建议如何解决此code？

  {
  版本：2012年10月17日，
  声明： [
    {
      效果：允许，
      行动：S3：ListBucket]，
      资源：ARN：AWS：S3 ::: mybucket]
    }，
    {
      效果：允许，
      行动： [
        S3：PutObject
        S3：GetObject的，
        S3：DeleteObject
      ]
      资源：ARN：AWS：S3 ::: mybucket / *]
    }
  ]
}
 

解决方案

我已经长大白发试图找出正确的配置。这里有一个的工作对我来说：

  {
    声明： [
        {
            锡德：AllowPublicRead
            行动： [
                S3：ListBucket
                S3：GetObject的，
                S3：PutObject
                S3：PutObjectAcl
                S3：DeleteObject
            ]
            效果：允许，
            资源：
                阿尔恩：AWS：S3 ::: mybucket / *，
                阿尔恩：AWS：S3 ::: mybucket
            ]
        }
    ]
}
 

但你还需要设置你的CORS的配置。 打开 S3控制台，点击你的水桶，显示其属性（右图），然后点击上的权限，你就可以编辑配置。

 ＆LT; XML版本=1.0编码=UTF-8＆GT？;
＆LT; CORSConfiguration的xmlns =htt​​p://s3.amazonaws.com/doc/2006-03-01/＆GT;
    ＆LT; CORSRule＆GT;
        ＆LT; AllowedOrigin＆GT; HTTP：//*.example.com< / AllowedOrigin＆GT;
        ＆LT; AllowedMethod＆GT; GET＆LT; / AllowedMethod＆GT;
        ＆LT; AllowedMethod＆GT; POST＆LT; / AllowedMethod＆GT;
        ＆LT; AllowedMethod＆GT; PUT＆LT; / AllowedMethod＆GT;
        ＆LT; MaxAgeSeconds＆GT; 3000＆LT; / MaxAgeSeconds＆GT;
        ＆LT; AllowedHeader＆GT; *＆LT; / AllowedHeader＆GT;
    ＆LT; / CORSRule＆GT;
    ＆LT; CORSRule＆GT;
        ＆LT; AllowedOrigin＆GT; HTTP：//example.com< / AllowedOrigin＆GT;
        ＆LT; AllowedMethod＆GT; GET＆LT; / AllowedMethod＆GT;
        ＆LT; AllowedMethod＆GT; POST＆LT; / AllowedMethod＆GT;
        ＆LT; AllowedMethod＆GT; PUT＆LT; / AllowedMethod＆GT;
        ＆LT; MaxAgeSeconds＆GT; 3000＆LT; / MaxAgeSeconds＆GT;
        ＆LT; AllowedHeader＆GT; *＆LT; / AllowedHeader＆GT;
    ＆LT; / CORSRule＆GT;
＆LT; / CORSConfiguration＆GT;
 

添加尽可能多的CORSRule你需要，特别是如果你需要HTTPS也是如此。

希望这将有助于。

I am very new to all this but have been able to get an avatar/image uploader to work in my Rails application. A user can upload a new avatar to my S3 bucket and the avatar shows within the web application.

To this end, I've had to grant "AmazonS3FullAccess" policy to the user. That seems like a bit too much, since the user from the application only needs write (upload his avatar) and read (show the avatar on the web page) permission.

Would you agree that it is therefore better to write a custom policy rather than use AmazonS3FullAccess? If so, I've tried the policy code (adopted from here) below but this didn't work (403 Forbidden error when trying to upload an avatar image). Any suggestions how to correct this code?

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::mybucket"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": ["arn:aws:s3:::mybucket/*"]
    }
  ]
}

解决方案

I've grown white hair trying to figure out the proper configuration. Here's one that's working for me:

{
    "Statement": [
        {
            "Sid": "AllowPublicRead",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:DeleteObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::mybucket/*",
                "arn:aws:s3:::mybucket"
            ]
        }
    ]
}

But you also need to set your CORS configuration. Open the S3 console, click on your bucket, show its Properties (right panel) and click on Permissions, you'll be able to edit the configuration.

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>http://*.example.com</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
    <CORSRule>
        <AllowedOrigin>http://example.com</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

Add as many CORSRule as you need, especially if you need https as well.

Hope that will help.

这篇关于写一个IAM策略和CORS配置的Amazon S3的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！