s3-调用HeadObject操作时发生错误(403):禁止 [英] s3 - An error occurred (403) when calling the HeadObject operation: Forbidden

问题描述

答案没有帮助

s3存储桶bucket1的资源策略是:

Resource policy for s3 bucket bucket1 is:

{
    "Version": "2012-10-17",
    "Statement": [{
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::bucket1/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket1/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket1/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        }
    ]
}

---

bucket1的IAM策略是:

---

IAM policy for bucket1 is:

   {
        "Action": [
            "s3:GetObject"
        ],
        "Resource": [
            "arn:aws:s3:::bucket1",
            "arn:aws:s3:::bucket1/*"
        ],
        "Effect": "Allow"       
   }

---

s3Upload()正常工作

---

s3Upload() works fine

在将文件复制到本地文件夹时执行aws s3 cp s3://url .后发生错误

Error occurs after performing aws s3 cp s3://url . while copying file to local folder

这是IAM政策与Google广告管理系统之间的冲突； s3的资源策略.

This is conflict between IAM policy & resource policy for s3.

如何使资源策略允许执行aws s3 cp?

How to make resource policy allow to perform aws s3 cp?

推荐答案

此处的问题很少.首先，您的存储桶策略文档不是有效的json，但我认为在应对过程中发生了错误.

There are few issues here. First, your bucket policy document is not a valid json but I guess that error happened during coping.

aws s3 cp s3://url不能简单地工作，因为存储桶策略会阻止它，在这种情况下，这是预期的行为.请注意，明确拒绝始终是赢家.如果HTTP请求中缺少服务器端加密标头，则您的存储桶策略会拒绝任何上传.无论您如何定义附加到用户的IAM策略，由于明确拒绝，该用户将无法使用提到的命令.

aws s3 cp s3://url doesn't work simply because bucket policy blocks it which is intended behavior in this case. Note that explicit deny always wins. Your bucket policy denies any upload if server side encryption header is missing in HTTP request. No matter how you define your IAM policy attached to a user, that user will not be able use the mentioned command as is due to the explicit deny.

如果要使其工作，只需使用适当的标志--sse AES256在CLI命令中指定服务器端加密(将对象上传到s3存储桶时为true).

If you want to make it work, you just need to specify server side encryption in your CLI command by using appropriate flag --sse AES256 (this is true when uploading objects to s3 bucket).

aws s3 cp s3://url --sse AES256

我注意到的其他事情:

在这部分

"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket1/*",
"Condition": {
    "Bool": {
        "aws:SecureTransport": "false"
    }
}

如果请求未使用HTTPS，但您仅指定了该存储桶中的对象-"Resource": "arn:aws:s3:::bucket1/*而不是存储桶本身-"Resource": "arn:aws:s3:::bucket1，则您拒绝所有s3操作，因此您的语句仅适用于对象级别的操作.这是预期的行为吗?如果要拒绝不使用HTTPS的对象级操作和存储桶级操作的所有操作，则需要将当前Resource更改为

you are denying all s3 actions if the request is not using HTTPS but you have specified only objects in that bucket - "Resource": "arn:aws:s3:::bucket1/*" not the bucket itself - "Resource": "arn:aws:s3:::bucket1", thus your statement applies only to object level operations. Is this intended behavior? If you want to deny all the actions for both object level operations and bucket level operations that are not using HTTPS then you need to change you current Resource to

"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
    "arn:aws:s3:::bucket1",
    "arn:aws:s3:::bucket1/*"
],
"Condition": {
    "Bool": {
        "aws:SecureTransport": "false"
    }
}

在本节中

  {
        "Action": [
            "s3:GetObject"
        ],
        "Resource": [
            "arn:aws:s3:::bucket1",
            "arn:aws:s3:::bucket1/*"
        ],
        "Effect": "Allow"       
   }

Resource-"arn:aws:s3:::bucket1"中的这一行是完全多余的，因为"s3:GetObject"操作是对象级操作，并且您的语句不包含任何存储区级操作.您可以自由删除它.所以它应该看起来像这样

this line in your Resource - "arn:aws:s3:::bucket1" is completely redundant because "s3:GetObject" action is object level operation and your statement doesn't contain any bucket level operations. You can freely remove it. So it should look something like this

   {
        "Action": [
            "s3:GetObject"
        ],
        "Resource": "arn:aws:s3:::bucket1/*",
        "Effect": "Allow"       
   }

更新

获取对象时，请确保指定一些对象，而不仅仅是存储桶的URL.

When getting object, be sure that you specify some object, not just url of the bucket.

这将起作用

aws s3 cp s3://bucket/file.txt .

这将失败并显示403错误

This will fail with 403 error

aws s3 cp s3://bucket .

如果要使用上述命令同时下载多个文件，则需要做两件事.首先，您需要更新您的IAM权限，以将s3:ListBucket包含在存储桶中.

If you want to download multiple files at the same time using the above command, you will need to do two things. First, you will need to update your IAM permissions to include s3:ListBucket on the bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::bucket"
        }
    ]
}

第二件事，您需要在cp命令中指定--recursive标志.

Second thing, you will need to specify --recursive flag in cp command.

aws s3 cp s3://bucket . --recursive

这篇关于s3-调用HeadObject操作时发生错误(403):禁止的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！