如何在Boto中将联合用户的权限授予s3存储桶? [英] How to give permission to a federated user in boto to an s3 bucket?
问题描述
试图从文档中找出问题,但无法创建可以访问s3存储桶的联合用户
Tried figuring out from the documentation but can not create a federated user who can access the s3 bucket
首先进口
>>> from boto.s3.connection import S3Connection
>>> from boto.sts import STSConnection
然后在s3中创建一个存储桶
Then create a bucket in s3
>>> s3c = ('access key', 'secret key')
>>> s3c.create_bucket('ranjith_new_bucket')
然后创建一个联合用户,如果我正确理解的话,这是创建临时凭据的一种方式
Then create a federated user, which if I correctly understand, is a way of creating temporary credentials
>>> sts = STSConnection('access key', 'secret key')
>>> user = sts.get_federation_token('guest_user_1')
但是当我尝试获取所有可访问存储桶的列表时,会出现错误.
But when I try to get the list of all accessible buckets, I get an error.
>>> s3c2 = S3Connection(user.credentials.access_key, user.credentials.secret_key)
>>> s3c2.get_all_buckets()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/ranjith/work/venv/local/lib/python2.7/site-packages/boto-2.16.0-py2.7.egg/boto/s3/connection.py", line 387, in get_all_buckets
response.status, response.reason, body)
boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>InvalidAccessKeyId</Code><Message>The AWS Access Key Id you provided does not exist in our records.</Message><RequestId>154CDA2184E00650</RequestId><HostId>xxx</HostId><AWSAccessKeyId>xxx</AWSAccessKeyId></Error>
文档说,我必须提供一个策略字符串,但是文档很难消化.我知道我必须在某个地方定义一个策略,然后在创建联盟用户时使用它,但不确定在哪里或如何做到这一点.
The documentation says that I have to provide an policy string, but the documentation is very tough to digest. I know I have to define a policy somewhere and use it while creating federated user but not sure where or how to do just that.
我确实尝试过:
permission = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["sts:GetFederationToken"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": "arn:aws:s3:::mybucket/ranjith_new_bucket/*"
}
]
}
sts.get_federation_token('some_other_user', json.dumps(permission))
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/ranjith/work/venv/local/lib/python2.7/site-packages/boto-2.16.0-py2.7.egg/boto/sts/connection.py", line 235, in get_federation_token
FederationToken, verb='POST')
File "/home/ranjith/work/venv/local/lib/python2.7/site-packages/boto-2.16.0-py2.7.egg/boto/connection.py", line 1138, in get_object
raise self.ResponseError(response.status, response.reason, body)
boto.exception.BotoServerError: BotoServerError: 400 Bad Request
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>MalformedInput</Code>
</Error>
<RequestId>75734932-4ac1-11e3-a17b-e9e245983c07</RequestId>
</ErrorResponse>
这真的很愚蠢,因为我所做的只是将策略的json转储.我什至找不到任何在线资源来解决这个问题.
which is really silly because all I did is to put in json dump of the policy. I am not even able to find any online resources for the problem.
如果有人可以指导我,那太好了,这样我最终创建了一个可以访问上面创建的ranjith_new_bucket的联合用户.代码片段将不胜感激.
It would be great if some one could guide me so that I end up creating a federated user with access to ranjith_new_bucket created above. Code snippets will be appreciated.
推荐答案
此调用返回的FederationToken对象:
The FederationToken object returned from this call:
>>> user = sts.get_federation_token('guest_user_1')
具有一个名为credentials的属性,此子对象包含access_key,secret_key和session_token.所有这三个都需要在请求中发送.当前,您仅发送access_key和secret_key.我认为,如果您将代码更改为以下形式:
has an attribute called credentials and this sub-object contains an access_key, a secret_key, and a session_token. All three of these need to be sent in the request. You are currently only sending the access_key and secret_key. I think if you change your code to look like this:
> s3c2 = S3Connection(user.credentials.access_key, user.credentials.secret_key, security_token=user.credentials.session_token)
你应该没事.
这篇关于如何在Boto中将联合用户的权限授予s3存储桶?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
