正确的预签名 URL 的 S3 策略 [英] Correct S3 Policy For Pre-Signed URLs
问题描述
我需要发布预先签名的 URL,以允许用户将文件 GET 和 PUT 文件放入特定的 S3 存储桶中.我创建了一个 IAM 用户并使用其密钥创建预签名 URL,并添加了嵌入该用户的自定义策略(见下文).当我使用生成的 URL 时,我的策略出现 AccessDenied 错误.如果我将 FullS3Access 策略添加到 IAM 用户,该文件可以是具有相同 URL 的 GET 或 PUT,因此很明显,我的自定义策略缺失.有什么问题吗?
I need to issue pre-signed URLs for allowing users to GET and PUT files into a specific S3 bucket. I created an IAM user and use its keys to create the pre-signed URLs, and added a custom policy embedded in that user (see below). When I use the generated URL, I get an AccessDenied error with my policy. If I add the FullS3Access policy to the IAM user, the file can be GET or PUT with the same URL, so obviously, my custom policy is lacking. What is wrong with it?
这是我使用的自定义策略不起作用:
Here's the custom policy I am using that is not working:
{
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::MyBucket"
]
},
{
"Action": [
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteObject",
"s3:GetBucketPolicy",
"s3:GetLifecycleConfiguration",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:PutBucketPolicy",
"s3:PutLifecycleConfiguration",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::MyBucket/*"
]
}
]
}
推荐答案
这是适用于我的预签名 S3 URL 的 IAM 策略.
Here is an IAM policy that works for my presigned S3 URLs.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::mydocs/*"
}
]
}
我想知道您的问题是否在 Resource 部分.您对存储桶 MyBucket 的 GET 请求总是吗?
I wonder if your problem is in the Resource part. Were your GET requests for bucket MyBucket always?
这篇关于正确的预签名 URL 的 S3 策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
