S3存储桶的基本AWS IAM权限 [英] Basic AWS IAM permissions for an S3 bucket
问题描述
我正在尝试为IAM用户/密钥确定一个基本权限集,使其必须只能访问S3中的单个存储桶-仅对单个存储桶具有读/写访问权限.
完成这项工作所需的最低权限集是什么?我在IAM策略生成器中为S3选择了所有选项,并在存储桶上启用了除CreateBucket
和DeleteBucket
之外的所有权限.我还创建了一组特定于该用户的密钥.
当我尝试使用这些凭据访问存储桶时,即使启用了ListAllMyBuckets
属性,我也会在列出存储桶时遇到问题.
任何人都有设置像这样的基本存储桶配置的经验吗?似乎很普遍...
Amazon S3的示例策略涵盖了与您的案例相似或相关的各种用例-特别是您可能希望将示例1:允许每个用户在Amazon S3 中将主目录与示例2:允许用户仅列出公司存储桶中其主目录中的对象-您只需要调整Resource
即可将其定位到存储桶根目录,即替换/home/bob/*
和*
.
请注意,示例2 有助于 ListBucket ,它是对存储桶的操作 返回有关存储桶中某些项目的信息,而服务上的操作 返回请求发送方拥有的所有存储桶的列表,因此可能不适用于您的用例(请参阅我对后者的说明). /p>
I'm trying to figure out a basic permission set for an IAM user/key to have to have access to only a single bucket in S3 - only read/write access on an individual bucket.
What set of permissions is the minimum required to make this work? I have all options selected in the IAM policy generator for S3, all permissions enabled on the bucket except CreateBucket
and DeleteBucket
. I've also created a set of keys specific to this user.
When I try to access the bucket with these credentials, I get a problem listing buckets, even though the ListAllMyBuckets
property is enabled.
Anyone have any experience setting up a basic bucket config like this? Seems like it would be pretty common...
The Example Policies for Amazon S3 cover various use cases similar or related to yours - specifically you might probably want to combine Example 1: Allow each user to have a home directory in Amazon S3 with Example 2: Allow a user to list only the objects in his or her home directory in the corporate bucket - you'd just need to adjust the Resource
to target your buckets root directory instead, i.e. replace /home/bob/*
with *
.
Please note that Example 2 facilitates ListBucket, which is an operation on a bucket that returns information about some of the items in the bucket, whereas ListAllMyBuckets is an operation on the service that returns a list of all buckets owned by the sender of the request, so likely not applicable to your use case (see my comment regarding clarification of the latter).
这篇关于S3存储桶的基本AWS IAM权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!