S3:如果由其他用户创建，用户将无法访问他自己的 s3 存储桶中的对象 [英] S3: User cannot access object in his own s3 bucket if created by another user

问题描述

外部用户可以访问我们的 s3 存储桶，在我们的存储桶策略中使用这些操作:

An external user has access to our s3 bucket, using these actions in our bucket policy:

"Action": [
            "s3:GetObjectAcl",
            "s3:GetObject",
            "s3:PutObjectAcl",
            "s3:ListMultipartUploadParts",
            "s3:PutObject"
        ]

该用户生成了临时凭证，然后被使用将文件上传到我们的存储桶中.

That user generated temporary credentials, which were then used to upload a file into our bucket.

现在，我无法访问该文件.在 s3 UI 中，如果我尝试下载文件，则会收到 403.如果我尝试更改该对象的权限，我会看到以下消息:抱歉！您无权查看此存储桶."如果外部用户在使用临时凭证上传文件时设置了适当的标头(x-amz-acl bucket-owner-full-control)，我可以正常访问该文件.我觉得很奇怪，即使我拥有存储桶，外部用户也有可能将我无法访问的文件放入其中.

Now, I cannot access the file. In the s3 UI, if I attempt to download the file, I get a 403. If I attempt to change the permissions on that object, I see the message : "Sorry! You do not have permissions to view this bucket." If the external user sets the appropriate header (x-amz-acl bucket-owner-full-control) when uploading the file with the temporary credentials, I can access the file normally. It seems strange to me that even though I own the bucket, it is possible for the external user to put files into it that I am unable to access.

是否有可能我可以设置一些策略以便我可以访问该文件，或者我可以访问添加到我的存储桶中的任何文件，而不管 它是如何添加的?谢谢！

Is it possible that there is some policy I can set so I can access the file, or so that I am able to access any file that is added to my bucket, regardless of how it is added? Thanks!

推荐答案

我相信你必须让对象所有者更新 ACL 或重写指定存储桶所有者完全控制的对象.对此进行试验的最简单方法是使用 CLI:

I believe you have to get the object owner to update the ACL or re-write the object specifying bucket owner full control. The simplest way to experiment with this is using the CLI:

aws s3api put-object-acl --acl bucket-owner-full-control --bucket some-bucket --key path/to/unreadable.txt

是的，我认为您必须为每个对象执行一次，我认为没有递归选项.

Yeah, I think you have to do that once for each object, I don't think there is a recursive option.

AWS 发布了一个 示例存储桶策略防止将对象添加到存储桶，而无需让存储桶拥有者完全控制.但这不会解决您存储桶中已有对象的所有权问题.

AWS publishes an example bucket policy to prevent adding objects to the bucket without giving the bucket owner full control. But that will not address ownership of the objects already in your bucket.

我不知道有任何政策会自动将所有权转让给存储桶所有者.

I don't know of any policy that will automagically transfer ownership to the bucket owner.

这篇关于S3:如果由其他用户创建，用户将无法访问他自己的 s3 存储桶中的对象的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！