直接附加现有策略以以编程方式访问S3 [英] Attach existing policies directly for programatically access to S3

问题描述

我正在创建一个需要以编程方式对S3进行读写访问的用户.

I am creating a user that needs a read and write access to S3 programatically.

在直接附加现有策略"下，有太多策略，我不知道我需要哪一个.

Under "Attach existing policies directly" there are too many policies and I don't know which of them is the one I need.

推荐答案

如果您希望授予一个IAM用户访问Amazon S3中的执行任何操作的功能，您只需附加 AmazonS3FullAccess 政策，该政策授予:

If you wish to grant one IAM User access to do anything in Amazon S3, you can simply attach the AmazonS3FullAccess policy, which grants:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

但是，这使他们可以执行任何操作(包括删除存储桶).通常，将为用户分配给定存储桶的特定权限，例如此内联策略:

However, this lets them do anything (including deleting buckets). Normally, people would be assigned specific permissions for a given bucket, such as this inline policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket/*",
                "arn:aws:s3:::my-bucket"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        }
    ]
}

请注意，某些操作适用于存储桶本身，而其他操作则适用于存储桶的内容(/* ).

Note that some actions apply to the bucket itself, while other applies to the contents (/*) of the bucket.

这篇关于直接附加现有策略以以编程方式访问S3的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！