策略拒绝对Amazon S3的访问 [英] Policy Denying Access On Amazon S3
问题描述
使用s3cmd,以下策略使我可以像这样列出ListAllBuckets:
Using s3cmd the policy below allows me to ListAllBuckets like this :
s3cmd ls
和这样的ListBucket:
and ListBucket like this :
s3cmd ls s3://backups/
但是我不能上传这样的文件:
but I cannot upload a file like this :
s3cmd put filename s3://backups/
我刚得到这个错误:
ERROR: S3 error: Access Denied
该策略基于搜索和网络上的许多示例,但我只是看不出它出了什么问题.该策略是允许用户仅将文件上传到备份目录(最后,我什至没有列出存储桶中的文件,但我只是为了检查该策略是否实际上已被读取).
The policy is based on searching and many examples on the web, but I just cannot see where it's going wrong. The policy is to allow a user to just upload files to a backup directory (ultimately I don't even what them to list the buckets but I put that in just to check the policy was in fact being read at all).
其他可能相关的信息-
- 我使用Dragon Disk(S3的前端)和其他用户创建了存储桶
- 这个新的IAM用户通过属于附加了策略的组而连接到该策略.
这是政策,请注意,CreateObject和PutObject是仅有的两个原始条目,添加了其他两个条目只是为了看看发生了什么事情:
Here's the policy, note that the CreateObject and PutObject were the only two original entries, the others were added almost just to see what happened :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl",
"s3:CreateObject",
"s3:*"
],
"Resource": "arn:aws:s3:::backups/*"
}
]
}
编辑1-
只需说,如果添加此策略,它就可以正常工作,所以我知道这与我的策略有关:
Just to say that if I add this policy it works fine, so I know it's something to do with my policy :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
编辑2- 我制定了另一个策略,我曾经使用它创建了一个名为"asdwasw432"的存储桶,以防万一我的UI创建的存储桶无法使用.但是我仍然无法上载任何文件(访问被拒绝).我可以列出存储桶并创建新的存储桶.所有建议似乎都告诉我要完全按照我在下面的步骤进行操作,但是如果可行,则什么也没有.我还想念其他东西吗?
EDIT 2 - I have made another policy which I have used to create a bucket called "asdwasw432", just in case for whatever reason my UI created bucket was unusable. But I still cannot upload any file to it (Access Denied). I can list the bucket and create new buckets. All the advice seems to tell me to do exactly what I am doing below, but none if it works. Am I missing something else?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1397834652000",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "Stmt1397834745000",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::asdwasw432",
"arn:aws:s3:::asdwasw432/*"
]
}
]
}
推荐答案
好,我已经修复了它,但我仍然很困惑.
Well, I've fixed it but I'm still confused.
原来是我跑步的时候
s3cmd --configure
我接受了默认区域"US".应将其设置为"us-east-1".我通过运行调试发现了这一点
I accepted the default region of "US". This should have been set to "us-east-1". I found this out by running debug
s3cmd -d ..etc...
这显示了包含此内容的一行-
This showed me a line that contained this -
'reason': 'Bad Request', 'data': '<?xml version="1.0"
encoding="UTF-8"?>\n<Error><Code>AuthorizationHeaderMalformed</Code>
<Message>The authorization header is malformed; the region \'US\' is
wrong; expecting \'us-east-1\'</Message><Region>us-east-1</Region>
重新运行配置并更正区域即可解决该问题.
Rerunning the config and correcting the region solved it.
如果有人实际上是问题所在,请解释一下为什么我能够使它在不正确的地方工作吗?最近,我通过制作
Please could someone explain why I was able to make it work at all with an incorrect region if the region was in fact the issue? Most recently I got everything to work by making
Action : "*"
这使我陷入另一死角,即我必须使用错误的命令.仅出于完整性考虑,此政策对我有效(只要区域正确!):
which led me down another dead end of assuming I must be using the wrong commands. Just for completeness, this policy works for me (as long as the region is correct!) :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::asdwasw432",
"arn:aws:s3:::asdwasw432/*"
]
}
]
}
最后一点,我已将此策略附加到用户而非群组.这对我的用法很有意义,但是当我问这个问题时,我是将其附加到一个组并将用户添加到该组.不确定是否会有所作为.
One final note, I have attached this policy to the user instead of the group. This makes sense for my usage but when I asked the question I was attaching it to a group and adding the user to that group. Not sure if that will make a difference or not.
这篇关于策略拒绝对Amazon S3的访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!