直接附加现有策略以以编程方式访问S3 [英] Attach existing policies directly for programatically access to S3
问题描述
我正在创建一个需要以编程方式对S3进行读写访问的用户.
I am creating a user that needs a read and write access to S3 programatically.
在直接附加现有策略"下,有太多策略,我不知道我需要哪一个.
Under "Attach existing policies directly" there are too many policies and I don't know which of them is the one I need.
推荐答案
如果您希望授予一个IAM用户访问Amazon S3中的执行任何操作的功能,您只需附加 AmazonS3FullAccess
政策,该政策授予:
If you wish to grant one IAM User access to do anything in Amazon S3, you can simply attach the AmazonS3FullAccess
policy, which grants:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
但是,这使他们可以执行任何操作(包括删除存储桶).通常,将为用户分配给定存储桶的特定权限,例如此内联策略:
However, this lets them do anything (including deleting buckets). Normally, people would be assigned specific permissions for a given bucket, such as this inline policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::my-bucket/*",
"arn:aws:s3:::my-bucket"
]
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}
请注意,某些操作适用于存储桶本身,而其他操作则适用于存储桶的内容(/*
).
Note that some actions apply to the bucket itself, while other applies to the contents (/*
) of the bucket.
这篇关于直接附加现有策略以以编程方式访问S3的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!