IAM策略列出S3存储内的特定文件夹的用户 [英] IAM Policy to list specific folders inside a S3 bucket for an user

问题描述

我下面的键斗下的 demo.for.customers

demo.for.customers/customer1/
demo.for.customers/customer2/

现在我有2个客户，即的customer1 和的customer2 。这就是我想要的：

Now I have 2 customers namely customer1 and customer2. This is what I want:

1. 授予他们只能访问的 demo.for.customers 桶。
2. 的customer1应该能够访问仅 demo.for.customers /的customer1 / 和应该的customer2能够访问仅 demo.for.customers / customer2表/ 。

1. Grant them access to only demo.for.customers bucket.
2. customer1 should be able to access only demo.for.customers/customer1/ and customer2 should be able to access only demo.for.customers/customer2/.

和我能够用下面的政策（我创造的政策为每一个客户，所以我贴一个只为的customer1下文。）我已经定义了这一政策IAM而不是在S3来实现这一点。

And I am able to achieve this with below policy ( I am creating policy for each customer. Hence I am pasting the one only for customer1 below.) I have defined this policy in IAM and not in S3.

{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
   {
      "Action": ["s3:ListBucket"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::demo.for.customers"],
      "Condition":{"StringEquals":{"s3:prefix":["","customer1/"],"s3:delimiter":["/"]}}
   },
    {
      "Effect": "Allow",
      "Action": ["s3:*"],
      "Resource": ["arn:aws:s3:::demo.for.customers/customer1/*"]
    }
]
}

问题：

1. 的customer1能够看到我所有的桶，尽管他不能访问它们。我不想这样。他应该能看到的只有 demo.for.customers
2. 的customer1能够看到 demo.for.customers / customer2表以及他虽然不能访问它。这是非常不能接受的，因为我不希望他甚至看到我这下斗什么其他的客户文件夹。

1. Customer1 is able to see all my bucket although he can't access any of them . I don't want this. He should be able to see only demo.for.customers
2. Customer1 is able to see demo.for.customers/customer2 as well although he can't access it. THis is highly unacceptable as I don't want him to even see what other customer folders I have under this bucket.

问题：

1. 在做大量的谷歌搜索后，我才知道，也没有办法为列表中选择特定水桶。这是真的吗？
2. 不过，我必须找到一种方法为只列出特定的文件夹一桶水给定用户里面。那怎么办？

1. After doing a lot of googling, I came to know that there is no way to list specific buckets. Is this really true?
2. However, I have to find a way to list only specific folders inside a bucket for a given user. How to do that?

感谢。

推荐答案

关于你的问题：

1. 不幸的是没有办法只列出某些桶。如果目的只是以允许访问所述一个已知的桶，我会删除的第一个语句完全，因为它不增加任何值（桶是已知的，并且不会需要列）。
2. 您可以显示code使用的是列出桶含量？基于你在这里已经证明了我所期望的customer1只能够列出的桶含量在他们的preFIX根和无处。

关于你的问题：

1. 是的，有没有办法将某些存储桶。这份名单桶API是一个全有或全无操作。
2. 这是由preFIX完成。您使用的是什么语言？我们有一个使用令牌自动贩卖机，以每用户访问提供到了AWS移动软件开发工具包样品S3斗。

这篇关于IAM策略列出S3存储内的特定文件夹的用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！