AWS Bucket Policy错误:策略具有无效的操作 [英] AWS Bucket Policy Error: Policy has invalid action
问题描述
我有一个非常基本的目标:将存储桶中的所有内容共享给特定用户列表(只读).这曾经与称为s3cmd的工具一起使用.我需要做的就是将一个用户(通过电子邮件标识)添加到具有读取权限的访问控制列表中,他们可以顺利列出或下载数据.
I have a very basic goal: to share all content of my bucket to a list of specific users, read only. This used to work with a tool called s3cmd. All I need to do was to add a user (identified by email) to the Access Control List with Read Permission and they could list or download data smoothly.
但是最近,这突然不再起作用了.系统只是拒绝任何访问我的存储桶的尝试.
But recently, this suddenly did not work any more. The system just denies any attempt to access my bucket.
然后我开始考虑编辑存储桶策略.这是由策略生成器生成的我的策略草案(敏感信息已匿名):
I then started thinking of editing the bucket policy. Here is the draft of my policy, generated by the Policy Generator (sensitive information is anonymized):
{
"Id": "Policy123456789",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1512705836469",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:ListObjects"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::mybucketname",
"Principal": {
"AWS": [
"arn:aws:iam::anotheruserid:user/admin"
]
}
}
]
}
当我单击保存"时,出现策略无效操作"错误.然后,我尝试删除"ListObjects",以便该策略变为
When I click "save", I got a "Policy has invalid action" error. I then tried to remove "ListObjects" so the policy becomes
{
"Id": "Policy123456789",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1512705836469",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::mybucketname",
"Principal": {
"AWS": [
"arn:aws:iam::anotheruserid:user/admin"
]
}
}
]
}
,并收到另一个错误消息操作不适用于语句中的任何资源".这两个错误对我来说没有意义.如果我错了,请纠正我.如果我的方向不正确,请帮助我.
and got another error message "Action does not apply to any resource(s) in statement". These two errors do not make sense to me. Please correct me if I am wrong. If I am not in the right direction, please help me.
顺便说一句:我尝试按照以下教程进行操作 http://docs.aws. amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example2.html 但没有成功.通过使用以下存储桶策略:
BTW: I tried to follow the tutorial at http://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example2.html but wasn't successful. By using the following bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB-ID:root"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::examplebucket"
]
}
]
}
当使用AccountB的awscli执行"aws s3 ls s3://examplebucket"时,出现错误消息.错误消息是调用ListObjects操作时发生错误(AccessDenied):访问被拒绝".这使我感到困惑.如果添加ListObjects,则会出现无效"错误.如果删除"ListObjects",其他用户将无法读取我的存储桶内容.
I got an error message when using awscli of AccountB to execute "aws s3 ls s3://examplebucket". The error message was "An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied". This confuses me. If I add ListObjects, I got an "invalid" error. If I remove the "ListObjects", another user could not read my bucket content.
我该怎么办?
推荐答案
我怀疑策略编辑器在针对在存储桶中进行操作的操作相对于在存储桶中进行操作的智能化.
I suspect that the Policy Editor has become smarter when it comes to operations that operate on buckets as opposed to within buckets.
此外,ListObjects似乎使它不高兴,因此请忽略它.
Also, ListObjects seems to be upsetting it, so leave it out.
此策略允许列出存储桶的内容并检索对象:
This policy allows the contents of a bucket to be listed and objects retrieved:
{
"Id": "Policy1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/user-name"
}
}
]
}
ListBucket在存储桶上运行.
GetObject对存储区的内容进行操作.
GetObject operates on the contents of a bucket.
可以在策略中将其写为两个单独的语句(一个在存储桶中,一个在存储桶中的内容上),但是如上所述编写起来通常更容易.
It could be written as two separate statements within the policy (one on the bucket, one on the contents of the bucket), but it's often easier to write it as above.
这篇关于AWS Bucket Policy错误:策略具有无效的操作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
