策略拒绝对Amazon S3的访问 [英] Policy Denying Access On Amazon S3

问题描述

使用s3cmd，以下策略使我可以像这样列出ListAllBuckets:

Using s3cmd the policy below allows me to ListAllBuckets like this :

s3cmd ls

和这样的ListBucket:

and ListBucket like this :

s3cmd ls s3://backups/

但是我不能上传这样的文件:

but I cannot upload a file like this :

s3cmd put filename s3://backups/

我刚得到这个错误:

ERROR: S3 error: Access Denied

该策略基于搜索和网络上的许多示例，但我只是看不出它出了什么问题.该策略是允许用户仅将文件上传到备份目录(最后，我什至没有列出存储桶中的文件，但我只是为了检查该策略是否实际上已被读取).

The policy is based on searching and many examples on the web, but I just cannot see where it's going wrong. The policy is to allow a user to just upload files to a backup directory (ultimately I don't even what them to list the buckets but I put that in just to check the policy was in fact being read at all).

其他可能相关的信息-

• 我使用Dragon Disk(S3的前端)和其他用户创建了存储桶
• 这个新的IAM用户通过属于附加了策略的组而连接到该策略.

这是政策，请注意，CreateObject和PutObject是仅有的两个原始条目，添加了其他两个条目只是为了看看发生了什么事情:

Here's the policy, note that the CreateObject and PutObject were the only two original entries, the others were added almost just to see what happened :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectVersionAcl",
                "s3:CreateObject",
                "s3:*"
            ],
            "Resource": "arn:aws:s3:::backups/*"
        }
    ]
}

编辑1-

只需说，如果添加此策略，它就可以正常工作，所以我知道这与我的策略有关:

Just to say that if I add this policy it works fine, so I know it's something to do with my policy :

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}

编辑2- 我制定了另一个策略，我曾经使用它创建了一个名为"asdwasw432"的存储桶，以防万一我的UI创建的存储桶无法使用.但是我仍然无法上载任何文件(访问被拒绝).我可以列出存储桶并创建新的存储桶.所有建议似乎都告诉我要完全按照我在下面的步骤进行操作，但是如果可行，则什么也没有.我还想念其他东西吗?

EDIT 2 - I have made another policy which I have used to create a bucket called "asdwasw432", just in case for whatever reason my UI created bucket was unusable. But I still cannot upload any file to it (Access Denied). I can list the bucket and create new buckets. All the advice seems to tell me to do exactly what I am doing below, but none if it works. Am I missing something else?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1397834652000",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "Stmt1397834745000",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::asdwasw432",
                "arn:aws:s3:::asdwasw432/*"
            ]
        }
    ]
}

推荐答案

好，我已经修复了它，但我仍然很困惑.

Well, I've fixed it but I'm still confused.

原来是我跑步的时候

s3cmd --configure

我接受了默认区域"US".应将其设置为"us-east-1".我通过运行调试发现了这一点

I accepted the default region of "US". This should have been set to "us-east-1". I found this out by running debug

s3cmd -d ..etc...

这显示了包含此内容的一行-

This showed me a line that contained this -

'reason': 'Bad Request', 'data': '<?xml version="1.0" 
encoding="UTF-8"?>\n<Error><Code>AuthorizationHeaderMalformed</Code>
<Message>The authorization header is malformed; the region \'US\' is
 wrong; expecting \'us-east-1\'</Message><Region>us-east-1</Region>

重新运行配置并更正区域即可解决该问题.

Rerunning the config and correcting the region solved it.

如果有人实际上是问题所在，请解释一下为什么我能够使它在不正确的地方工作吗?最近，我通过制作

Please could someone explain why I was able to make it work at all with an incorrect region if the region was in fact the issue? Most recently I got everything to work by making

Action : "*"

这使我陷入另一死角，即我必须使用错误的命令.仅出于完整性考虑，此政策对我有效(只要区域正确！):

which led me down another dead end of assuming I must be using the wrong commands. Just for completeness, this policy works for me (as long as the region is correct!) :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::asdwasw432",
                "arn:aws:s3:::asdwasw432/*"
            ]
        }
    ]
}

最后一点，我已将此策略附加到用户而非群组.这对我的用法很有意义，但是当我问这个问题时，我是将其附加到一个组并将用户添加到该组.不确定是否会有所作为.

One final note, I have attached this policy to the user instead of the group. This makes sense for my usage but when I asked the question I was attaching it to a group and adding the user to that group. Not sure if that will make a difference or not.

这篇关于策略拒绝对Amazon S3的访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！