如何为s3存储桶设置策略，允许经过身份验证的用户列出存储桶或从存储桶中获取任何文件 [英] How can I set a policy for an s3 bucket that allows authenticated users to list the bucket or get any file from the bucket

问题描述

我在存储桶上设置了权限，允许经过身份验证的用户"列出，上传和删除我创建的存储桶.这似乎允许我将文件上传到存储桶，但此权限似乎不包括从存储桶下载文件，因此我需要为存储桶定义 policy .我不清楚如何制定这样的政策.我尽我最大的猜测尝试了策略生成器，但我将其粘贴为存储桶的新策略时，结果不是有效的策略(失败并显示消息Action does not apply to any resource(s) in statement - Action "s3:ListBucket" in Statement "Stmt-some-number").有人可以解释以下策略有什么问题，以及如何正确设置它以允许经过身份验证的用户从存储桶中检索文件?

I have set a permission on the bucket that allows "Authenticated Users" to list, upload, and delete from a bucket I created. This seems to allow me to upload files to the bucket, but it appears that downloading files from the bucket is not covered by this permission, and I instead need to define a policy for the bucket. It's not clear to me how to set such a policy. I tried the policy generator with my best guesses at what I should fill in, but the result was not a valid policy when I pasted it in as a new policy for the bucket (it failed with the message Action does not apply to any resource(s) in statement - Action "s3:ListBucket" in Statement "Stmt-some-number"). Can someone explain what is wrong with the following policy and how to set it correctly to allow authenticated users to retrieve files from the bucket?

{
  "Id": "Policy-some-number",
  "Statement": [
    {
      "Sid": "Stmt-some-number",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Principal": {
        "AWS": [
          "*"
        ]
      }
    }
  ]
}

推荐答案

s3:GetObject适用于存储桶中的对象，因此资源正确:"Resource": "arn:aws:s3:::my-bucket/*".

s3:GetObject applies to the objects in the bucket so the Resource is correct: "Resource": "arn:aws:s3:::my-bucket/*".

s3:ListBucket适用于存储桶本身，因此资源应为"Resource": "arn:aws:s3:::my-bucket"

s3:ListBucket applies to the Bucket itself and so the Resource should be "Resource": "arn:aws:s3:::my-bucket"

您产生的政策应类似于:

your resulting policy should resemble:

{
  "Id": "Policy-some-number",
  "Statement": [
    {
      "Sid": "Stmt-some-number",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Principal": {
        "AWS": [
          "*"
        ]
      }
    },
    {
      "Sid": "Stmt-some-other-number",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my-bucket",
      "Principal": {
        "AWS": [
          "*"
        ]
      }
    }
  ]
}

这篇关于如何为s3存储桶设置策略，允许经过身份验证的用户列出存储桶或从存储桶中获取任何文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！