Amazon S3:授予来自IP的匿名访问权限(通过存储桶策略) [英] Amazon S3: Grant anonymous access from IP (via bucket policy)

问题描述

我有一个Amazon S3存储桶，并希望使其可用于特定计算机上的脚本，而无需部署登录凭证.因此，我的计划是仅允许从该计算机的IP进行匿名访问.我对Amazon云还很陌生，存储桶策略看起来很可行.我在存储桶中添加了以下策略:

I have a Amazon S3 bucket and would like to make it available to scripts on a certain machine, whithout the need to deploy login credentials. So my plan was to allow anonymous access only from the IP of that machine. I'm quite new to the Amazon cloud and bucket policies look like the way to go. I added the following policy to my bucket:

{
    "Version": "2008-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::name_of_my_bucket/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "my_ip_1/24",
                        "my_ip_2/24"
                    ]
                }
            }
        }
    ]
}

但是匿名访问仍然不起作用.为了进行测试，我在S3管理控制台中授予了对所有人"的访问权限.那很好，但显然不是我想要做的.;-)任何提示我在做什么错以及如何使它正常工作?

But anonymous access still does not work. For testing, I granted access to "Everyone" in the S3 management console. That works fine, but is obviously not what I want to do. ;-) Any hint what I'm doing wrong and how to get this working?

我的用例是使用EC2和S3进行某些数据处理，因此通过IP访问控制比摆弄用户帐户要简单得多.如果有更简单的解决方案，我欢迎您提出建议.

My use case is some data processing using EC2 and S3, so access control by IP would be much simpler than fiddling around with user accounts. If there's a simpler solution, I'm open for suggestions.

推荐答案

但是匿名访问仍然不起作用.

But anonymous access still does not work.

什么操作仍然无法正常工作，您是不是偶然地尝试列出存储桶中的对象?

What operation still does not work exactly, do you by chance just try to list the objects in the bucket?

用例通常隐式涉及 Amazon S3 API调用，除了<该策略已明确指定了code> Resource .具体来说，您需要了解服务上的操作(例如 ListAllMyBuckets )，存储桶操作(例如

Quite often a use case implicitly involves Amazon S3 API calls also addressing different resource types besides the Resource explicitly targeted by the policy already. Specifically, you'll need to be aware of the difference between Operations on the Service (e.g. ListAllMyBuckets), Operations on Buckets (e.g. ListBucket) and Operations on Objects (e.g. GetObject).

尤其是，策略的 Resource 规范当前仅处理存储桶中的对象( arn:aws:s3 :::: name_of_my_bucket/* )，这意味着您不能列出存储桶中的对象(虽然您应该能够放置/获取/删除对象)-为了也允许通过 ListBucket 列出存储桶中的对象，您需要相应地修改您的政策，如下所示:

In particular, the Resource specification of your policy currently addresses the objects within the bucket only (arn:aws:s3:::name_of_my_bucket/*), which implies that you cannot list objects in the bucket (you should be able to put/get/delete objects though in case) - in order to also allow listing of the objects in the bucket via ListBucket you would need to amend your policy as follows accordingly:

{
    "Version": "2008-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            // ... your existing statement for objects here ...
        },
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::name_of_my_bucket",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "my_ip_1/24",
                        "my_ip_2/24"
                    ]
                }
            }
        }
    ]
}

这篇关于Amazon S3:授予来自IP的匿名访问权限(通过存储桶策略)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！