尝试下载文件时禁止从 s3 获取 403 [英] Getting 403 forbidden from s3 when attempting to download a file

问题描述

我在 s3 上有一个存储桶，并且一个用户获得了对该存储桶的完全访问权限.

I have a bucket on s3, and a user given full access to that bucket.

我可以执行 ls 命令并查看存储桶中的文件，但下载它们失败:

I can perform an ls command and see the files in the bucket, but downloading them fails with:

调用 HeadObject 操作时发生客户端错误(403):禁止

我还尝试使用通过 IAM 控制台授予完整 S3 权限的用户.同样的问题.

I also attempted this with a user granted full S3 permissions through the IAM console. Same problem.

作为参考，这是我的 IAM 政策:

For reference, here is the IAM policy I have:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::mybucket",
                "arn:aws:s3:::mybucket/*"
            ]
        }
    ]
}

我还尝试添加存储桶策略，甚至将存储桶设为公开，但仍然没有成功...此外，我尝试从控制台为存储桶中的文件设置单独的权限，但收到错误消息说我不能查看存储桶，这很奇怪，因为当消息出现时我正在从控制台查看它，并且可以ls 存储桶中的任何内容.

I also tried adding a bucket policy, even making the bucket public, and still no go...also, from the console, I tried to set individual permissions on the files in the bucket, and got an error saying I cannot view the bucket, which is strange, since I was viewing it from the console when the message appeared, and can ls anything in the bucket.

EDIT 我的存储桶中的文件是从属于不同账户的另一个存储桶复制到那里的，使用的是我账户中的凭据.可能相关也可能不相关...

EDIT the files in my bucket were copied there from another bucket belonging to a different account, using credentials from my account. May or may not be relevant...

第二次编辑 只是尝试将我自己的文件从其他存储桶上传、下载和复制到此存储桶中，并且工作正常.问题特别在于从另一个帐户的存储桶中放置的文件.

2nd EDIT just tried to upload, download and copy my own files to and from this bucket from other buckets, and it works fine. The issue is specifically with the files placed there from another account's bucket.

谢谢！

推荐答案

我认为在使用bucket-owner-full-control" acl 在存储桶之间移动/复制对象时，您需要确保将权限应用于对象.

I think you need to make sure that the permissions are applied to objects when moving/copying them between buckets with the "bucket-owner-full-control" acl.

以下是有关在移动或复制文件以及追溯时如何执行此操作的详细信息:https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-owner-access/

Here are the details about how to do this when moving or copying files as well as retroactively: https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-owner-access/

此外，您可以在此处阅读各种预定义的赠款:http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl

Also, you can read about the various predefined grants here: http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl

这篇关于尝试下载文件时禁止从 s3 获取 403的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！