跨账户的Amazon S3文件'Access Denied'异常 [英] Amazon S3 file 'Access Denied' exception in Cross-Account
问题描述
我有2个AWS账户.帐户A具有S3存储桶"BUCKET",我已使用Java api在其中存储了文件.我已将存储桶"策略配置为允许跨帐户文件发布.
但是,当我尝试从帐户A打开该文件时,它说 AccessDenied 访问被hostId和requestId拒绝.
I've 2 AWS accounts. Account A has S3 bucket 'BUCKET' in which I've put file using Java api. I've configured my 'BUCKET' policy to allow cross-account file publishing.
But, when I try to open this file from Account A, it says AccessDeniedAccess Denied with hostId and requestId.
此文件使用Java api通过帐户B发布,并且该文件的大小与通过api发布的文件大小相同.我尝试更改文件大小,新大小显示在AWS S3控制台上. 这是我的存储桶策略:
This file is published through Account B using java api, and this file has same size as that published through api. I tried to change file sizes and the new sizes were shown on AWS S3 console. Here is my bucket policy:
{
"Version": "2008-10-17",
"Id": "Policy1357935677554",
"Statement": [
{
"Sid": "Stmt1357935647218",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTB:user/accountb-user"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Sid": "Stmt1357935676138",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTB:user/accountb-user"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/*"
},
{
"Sid": "Stmt1357935676138",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTB:user/accountb-user"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket-name/*"
},
{
"Sid": "Stmt1357935647218",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTA:user/accounta-user"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Sid": "Stmt1357935676138",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTA:user/accounta-user"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket-name/*"
},
{
"Sid": "Stmt1357935676138",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTA:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
问题是,当我尝试从帐户A下载/打开此文件时,我无法打开它.
The problem is when I try to download/open this file from Account A, I'm not able to open it.
推荐答案
问题是默认情况下,当AWS(cli或SDK)上传文件时,它仅通过s3 ACL授予对上传者的访问权限.
The problem is that by default, when AWS (cli or SDK) upload a file it grants access to the uploader only through s3 ACLs.
在这种情况下,要允许所有者读取上传的文件,上传者必须在上传过程中明确授予存储桶的所有者访问权限.例如:
In that case, to allow the owner to read the uploaded file, the uploader has to explicitly grant access to the owner of the bucket during the upload. Ex:
- 使用
awsCLI(文档此处):aws s3api put-object --bucket <bucketname> --key <filename> --acl bucket-owner-full-control - 使用
nodejsAPI(文档此处):您必须将AWS.S3.upload方法的params.ACL属性设置为"bucket-owner-full-control"
- with the
awsCLI (documentation here):aws s3api put-object --bucket <bucketname> --key <filename> --acl bucket-owner-full-control - with the
nodejsAPI (documentation here): you have to set theparams.ACLproperty of theAWS.S3.uploadmethod to"bucket-owner-full-control"
同时,您还可以确保存储桶拥有者对存储桶策略具有完全控制权(其他文档
In parallel, you can also ensure that the Bucket Owner Has Full Control with the bucket policy, (additional documentation here):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Grant Owner Full control dev",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTB:root"
},
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Grant Owner Full control dev",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTB:root"
},
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
这篇关于跨账户的Amazon S3文件'Access Denied'异常的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
