您如何允许授予对上载到AWS S3的对象的公共读取访问权限? [英] How do you allow granting public read access to objects uploaded to AWS S3?

问题描述

我创建了一个策略，该策略允许访问帐户中的单个S3存储桶.然后，我创建了一个仅具有此策略的组，并且该组中包含一个用户.

I have created a policy that allows access to a single S3 bucket in my account. I then created a group that has only this policy and a user that is part of that group.

用户可以按预期查看，删除文件并将其上传到存储桶.但是，用户似乎无法授予公众对上载文件的读取权限.

The user can view, delete and upload files to the bucket, as expected. However, the user does not seem to be able to grant public read access to uploaded files.

选择授予对此对象的公共读取权限选项时，上传将失败.

When the Grant public read access to this object(s) option is selected, the upload fails.

该存储桶托管着一个静态网站，我想允许前端开发人员上传文件并将其公开.

The bucket is hosting a static website and I want to allow the frontend developer to upload files and make them public.

用户角色的策略如下:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": "arn:aws:s3:::my-bucket"
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

当IAM用户尝试授予对上载文件的公共访问权限时，会发生以下情况:

This is what happens when the IAM user tries to grant public access to the uploaded file:

代理错误似乎无关紧要，但本质上是上传卡死了，什么也没发生.如果他们未选择授予公共访问权限选项，则上传会立即进行(尽管也会显示代理错误).

The proxy error seems unrelated, but essentially the upload is stuck and nothing happens. If they don't select the Grant public access option, the upload goes through immediately (despite the proxy error showing up as well).

推荐答案

为重现您的情况，我执行了以下操作:

To reproduce your situation, I did the following:

• 使用默认设置(阻止公共访问=开启)创建了一个新的 Amazon S3存储桶
• 创建了 IAM用户(未附加政策)
• 创建了一个 IAM组(未附加政策)
• 将IAM用户添加到IAM组
• 将您的策略​​(从问题中)作为内联策略
附加到IAM组(更新存储桶名称)
• 以新的IAM用户身份登录到Amazon S3管理控制台

• Created a new Amazon S3 bucket with default settings (Block Public Access = On)
• Created an IAM User (with no policies attached)
• Created an IAM Group (with no policies attached)
• Added the IAM User to the IAM Group
• Attached your policy (from the Question) to the IAM Group (updating the bucket name) as an inline policy
• Logged into the Amazon S3 management console as the new IAM User

这时，用户收到Access Denied错误，因为不允许他们列出所有Amazon S3存储桶.因此，该控制台不可用.

At this point, the user received an Access Denied error because they were not permitted to list all Amazon S3 buckets. Thus, the console was not usable.

相反，我运行了这个AWS CLI命令:

Instead, I ran this AWS CLI command:

aws s3 cp foo.txt s3://new-bucket/ --acl public-read

结果是:

调用PutObject操作时发生错误(AccessDenied):访问被拒绝

An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

但是，该操作成功完成:

However, the operation succeeded with:

aws s3 cp foo.txt s3://new-bucket/

这意味着--acl是被拒绝的组件.

This means that the --acl is the component that was denied.

然后，我进入阻止公共访问的存储桶，并关闭了名为阻止对通过新访问控制列表(ACL)授予的存储桶和对象的公共访问"的选项.我的设置是:

I then went to Block Public Access for the bucket and turned OFF the option called "Block public access to buckets and objects granted through new access control lists (ACLs)". My settings were:

然后我再次运行此命令:

I then ran this command again:

aws s3 cp foo.txt s3://new-bucket/ --acl public-read

成功了！

要验证这一点，我回到了阻止公共访问并打开了所有选项(通过顶部的复选框).我重新运行该命令，它再次访问被拒绝，确认原因是阻止公共访问"设置.

To verify this, I went back into Block Public Access and turned ON all options (via the top checkbox). I re-ran the command and it was Access Denied again, confirming that the cause was the Block Public Access setting.

底线:关闭第一个阻止公共访问"设置.

Bottom line: Turn off the first Block Public Access setting.

这篇关于您如何允许授予对上载到AWS S3的对象的公共读取访问权限?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！