尝试使用AWS CLI执行AWS s3 ls时访问被拒绝 [英] Access denied when trying to do AWS s3 ls using AWS cli

问题描述

我启动了一个ec2实例，并为该实例创建了具有完整S3访问策略的角色.我在上面安装了awscli并配置了用户的访问密钥.我的用户也具有管理员访问权限和完整的S3访问策略.我可以在aws控制台中看到存储分区，但是当我尝试在实例上运行aws s3 ls时，它返回了An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied.

I launched an ec2 instance and created a role with a full S3 access policy for the instance. I installed awscli on it and configured my user's access key. My user has admin access and full S3 access policy too. I can see the buckets in the aws console but when I try to run aws s3 ls on the instance it returned An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied.

我还需要做些什么才能为角色或用户正确添加权限，以便能够在S3和实例之间列出和同步对象?

What else I need to do to add permission to the role or my user properly to be able to list and sync object between S3 and the instance?

推荐答案

不仅从CLI还会发生此问题，例如在执行S3 API时也会发生.

This problem can occurs not only from the CLI but also when executing S3 API for example.

此错误的原因可能是由于对存储桶的访问权限配置错误.

The reason for this error can come from wrong configuration of the access permissions to the bucket.

例如，在下面的设置中，您具有对存储桶的内部对象执行操作的完整权限，但未在存储桶本身上指定任何操作:

For example with the setup below you're giving a full privileges to perform actions on the bucket's internal objects, BUT not specifying any action on the bucket itself:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::<name-of-bucket>/*"
            ]
        }
    ]
}

这将导致提到的

调用ListBuckets时

...(AccessDenied)...

... (AccessDenied) when calling the ListBuckets ...

错误.

为解决此问题，您应允许应用程序访问存储桶(第一条语句项)并编辑存储桶内的所有对象(第二条语句项):

In order to fix this you should allow application to access the bucket (1st statement item) and to edit all objects inside the bucket (2nd statement item):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<name-of-bucket>"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::<name-of-bucket>/*"
            ]
        }
    ]
}

可以使用较短的配置来解决该问题，但是上面指定的配置也试图保留细粒度的安全权限.

There are shorter configurations that might solve the problem, but the one specified above tries also to keep fine grained security permissions.

这篇关于尝试使用AWS CLI执行AWS s3 ls时访问被拒绝的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！