AWS CLI s3复制失败并显示403错误,试图管理用户上传的对象 [英] AWS CLI s3 copy fails with 403 error, trying to administrate a user-uploaded object
问题描述
尝试将文件从S3存储桶复制到我的本地计算机上:
Trying to copy a file from an S3 bucket to my local machine:
aws s3 cp s3://my-bucket-name/audio-0b7ea3d0-13ab-4c7c-ac66-1bec2e572c14.wav ./
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
我已经确认的事情:
- 我正在使用版本
aws-cli/1.11.13 Python/3.5.2 Linux/4.4.0-75-generic botocore/1.4.70 - S3对象键正确.我已经直接从S3 Web界面复制了它.
- AWS CLI配置了有效凭证.我生成了一个新的密钥/秘密对.在重新配置aws cli之前,我删除了〜/.aws文件夹.在线的IAM Web界面确认arn特定的用户实际上正在通过CLI使用S3.
- 根据是否存在通过CLI授予访问权限的其他方法?我不相信.
- I'm using version
aws-cli/1.11.13 Python/3.5.2 Linux/4.4.0-75-generic botocore/1.4.70 - The S3 Object key is correct. I have copied it directly from the S3 web interface.
- The AWS CLI is configured with valid credentials. I generated a new key/secret pair. I deleted the ~/.aws folder before re-configuring the aws cli. The IAM web interface online confirms that the user specific by arn is in fact making use of S3 via the CLI.
- The IAM user is granted the S3 full access managed policy, per this SO post. I removed all this users' policies, and then added only the AWS managed policy called AdministratorAccess, which includes "S3, Full access, All resources." Is there a different way to grant access via the CLI? I did not believe so.
桶策略旨在授予广泛的访问权限:
Bucket policy is intended to grant wide open access:
{
"Sid": "AdminAccess",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::my-bucket-name",
"arn:aws:s3:::my-bucket-name/*"
]
}
我如何上传该对象?
How did I upload this object?
我使用AWS Signature v4签名的上传策略将该对象从客户端浏览器中的Web应用程序直接上传到AWS.
I uploaded this object using AWS Signature v4 signed upload policy from a web app in the client browser directly to AWS.
推荐答案
事实证明,查看对象属性后,我可以看到OBJECT的所有者为匿名",并且匿名"用户也具有以下权限:这个对象.
It turns out, looking at the object properties, I can see the Owner of the OBJECT is "Anonymous," and also "Anonymous" user has full permission to this object.
我相信这就是为什么我无法访问该对象(已通过身份验证)的原因.示例:由于匿名"用户具有完全权限,因此我可以使用Web浏览器通过GET访问.这是按设计运行的. S3存储桶用于上传文件,然后供公众使用.
I believe this is why I'm not able to access this object (I'm authenticated). Example: Since the "Anonymous" user has full permission, I am able to access via GET using a Web browser. This is functioning as designed. The S3 bucket is for uploading files which then become available for public consumption.
因此,使用上传策略对文件进行POST操作后,结果所有者为匿名".
So when the file is POST'ed with the upload policy, the resulting owner is "Anonymous".
在这种情况下,上传对象时应使用acl=bucket-owner-full-control,以便存储桶拥有者可以控制该对象.
这样做,所有者仍将是匿名",但是,它将授予存储桶所有者(我)完整的权限,此后,我应该能够通过AWS CLI访问该对象.
In this case, acl=bucket-owner-full-control should be used while uploading the object so the bucket owner can control the object.
Doing this, the owner will still be "Anonymous", however, it'll give the bucket owner (me) the full permission and I should be able to access the object after that, via AWS CLI.
请注意,acl=ec2-bundle-read是默认值,实际上已硬编码到最新的AWS开发工具包中.参见
Note that acl=ec2-bundle-read is a default that's actually hard-coded into the latest AWS SDK. See https://github.com/aws/aws-sdk-java/blob/7844c64cf248aed889811bf2e871ad6b276a89ca/aws-java-sdk-ec2/src/main/java/com/amazonaws/services/ec2/util/S3UploadPolicy.java#L77
有必要将 S3UploadPolicy.java 复制到我自己的代码库中(事实证明,这是一个完全可移植的小实用程序类),并对其进行修改以便使用acl=bucket-owner-full-control.而且我已经证实这可以通过AWS CLI管理上传的对象.
It was necessary to copy S3UploadPolicy.java into my own codebase (it's an entirely portable little utility class, it turns out) and modify it in order to use acl=bucket-owner-full-control. And I have verified that this affords the administration of uploaded objects via AWS CLI.
这篇关于AWS CLI s3复制失败并显示403错误,试图管理用户上传的对象的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
