AWS S3:调用GetObject操作时发生错误(AccessDenied):访问被拒绝 [英] AWS S3: An error occurred (AccessDenied) when calling the GetObject operation: Access Denied

问题描述

我有一个具有读/写权限的AWS账户，如下所示:

I have an AWS account with read/write permissions as shown below:

我想这样做，以便IAM用户可以从S3存储桶下载文件，但是在执行aws s3 sync s3://<bucket_name> .时遇到了访问被拒绝的问题，我尝试了各种尝试，但无济于事.我做了一些步骤:

I'd like to make it so that an IAM user can download files from an S3 bucket but I'm getting access denied when executing aws s3 sync s3://<bucket_name> . I have tried various things, but not to avail. Some steps that I did:

1. 创建了一个名为s3-full-access的用户
2. 在我的CLI中执行aws configure，并输入为上述用户生成的访问密钥ID和秘密访问密钥
3. 创建了一个存储桶策略(如下所示)，我希望该策略可以为第一步中创建的用户授予访问权限.

1. Created a user called s3-full-access
2. Executed aws configure in my CLI and entered the generated access key id and secret access key for the above user
3. Created a bucket policy (shown below) that I'd hoped grants access for my user created in first step.

我的存储桶有一个名为AffectivaLogs的文件夹，其中各个用户都在其中匿名添加文件，并且看起来虽然存储桶是公共的，但其中的文件夹却不是，我什至无法将其公开导致以下错误.

My bucket has a folder name AffectivaLogs in which files were being added anonymously by various users, and it seems like though the bucket is public, the folder inside it is not and I am not even able to make it public, and it leads to following error.

以下是公共访问设置:

更新:我更新了存储桶策略，如下所示，但它不起作用.

Update: I updated the bucket policy as follows, but it doesn't work.

推荐答案

要测试这种情况，我执行了以下操作:

To test the situation, I did the following:

• 创建了没有附加政策的 IAM用户
• 创建了一个 Amazon S3存储桶
• 关闭S3阻止公共访问设置:
  • 阻止新的公共存储桶策略
  • 如果存储桶具有公共策略，则阻止公共和跨帐户访问
  • Created an IAM User with no attached policies
  • Created an Amazon S3 bucket
  • Turned off S3 block public access settings:
    • Block new public bucket policies
    • Block public and cross-account access if bucket has public policies

    然后我运行aws s3 sync并获得了Access Denied.

    然后，我修改了策略以允许访问存储桶本身:

    I then modified the policy to also permit access to the bucket itself:

    {
        "Id": "Policy",
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "statement",
                "Action": "s3:*",
                "Effect": "Allow",
                "Resource": [
                    "arn:aws:s3:::my-bucket/*",
                    "arn:aws:s3:::my-bucket"
                ],
                "Principal": {
                    "AWS": [
                        "arn:aws:iam::123456789012:user/stack-user"
                    ]
                }
            }
        ]
    }
    

    这行得通.

    底线:除了存储桶的内容之外，还添加访问存储桶的权限. (我怀疑这是因为aws s3 sync除了访问对象本身之外，还需要列出存储桶内容.)

    Bottom line: Also add permissions to access the bucket, in addition to the contents of the bucket. (I suspect it is because aws s3 sync requires listing of bucket contents, in addition to accessing the objects themselves.)

    这篇关于AWS S3:调用GetObject操作时发生错误(AccessDenied):访问被拒绝的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！