公共 Amazon S3 存储桶的 URL [英] URL for public Amazon S3 bucket
问题描述
我有一个 Amazon S3 存储桶,我使用这样的策略将其公开
I have an Amazon S3 bucket that I make public with a policy like this
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow Public Access to All Objects",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket/*"
}
]
}
我的存储桶现在显示为http://bucket.s3-website-us-east-1.amazonaws.com/
我看到其他人将他们的存储桶称为http://s3-us-east-1.amazonaws.com/bucket/
I see others refer to their bucket as http://s3-us-east-1.amazonaws.com/bucket/
我更喜欢第二个 URL,但它给出了拒绝访问.
I would prefer the 2nd URL, but it gives an Access Denied.
如何更改我的政策以允许第二个网址?
How can I change my policy to allow the 2nd URL ?
推荐答案
您所指的 URL 结构称为 REST 端点,而不是网站端点.
The URL structure you're referring to is called the REST endpoint, as opposed to the Web Site Endpoint.
注意:由于这个答案最初是写出来的,S3 已经在 REST 端点上推出了双栈支持,使用新的主机名,同时保留现有的主机名.现在已集成到下面提供的信息中.
如果您的存储桶确实位于 AWS 的 us-east-1 区域 -- S3 文档以前称为美国标准"区域,但随后正式更名为美国东部(弗吉尼亚北部)区域" -- 然后 http://s3-us-east-1.amazonaws.com/bucket/ 不是该端点的正确形式,即使它看起来应该如此.该区域的正确格式是 http://s3.amazonaws.com/bucket/ 或 http://s3-external-1.amazonaws.com/bucket/>.¹
If your bucket is really in the us-east-1 region of AWS -- which the S3 documentation formerly referred to as the "US Standard" region, but was subsequently officially renamed to the "U.S. East (N. Virginia) Region" -- then http://s3-us-east-1.amazonaws.com/bucket/ is not the correct form for that endpoint, even though it looks like it should be. The correct format for that region is either http://s3.amazonaws.com/bucket/ or http://s3-external-1.amazonaws.com/bucket/.¹
您使用的格式适用于所有其他 S3 区域,但不适用于美国标准美国东部(弗吉尼亚北部)[us-east-1].
The format you're using is applicable to all the other S3 regions, but not US Standard US East (N. Virginia) [us-east-1].
S3 现在还具有双栈端点主机名 对于 REST 端点,与原始端点主机名不同,这些端点的名称跨区域具有一致的格式,例如 s3.dualstack.us-east-1.amazonaws.com.这些端点同时支持 IPv4 和 IPv6 连接以及 DNS 解析,但在功能上与现有的 REST 端点等效.
S3 now also has dual-stack endpoint hostnames for the REST endpoints, and unlike the original endpoint hostnames, the names of these have a consistent format across regions, for example s3.dualstack.us-east-1.amazonaws.com. These endpoints support both IPv4 and IPv6 connectivity and DNS resolution, but are otherwise functionally equivalent to the existing REST endpoints.
如果您的权限和配置设置为使网站端点可以工作,那么 REST 端点也应该可以工作.
If your permissions and configuration are set up such that the web site endpoint works, then the REST endpoint should work, too.
然而……这两个端点不提供相同的功能.
However... the two endpoints do not offer the same functionality.
粗略地说,REST 端点更适合机器访问,而网站端点更适合人工访问,因为网站端点提供友好的错误消息、索引文档和重定向,而 REST 端点则不吨.另一方面,REST 端点提供 HTTPS 和对签名 URL 的支持,而网站端点不提供.
Roughly speaking, the REST endpoint is better-suited for machine access and the web site endpoint is better suited for human access, since the web site endpoint offers friendly error messages, index documents, and redirects, while the REST endpoint doesn't. On the other hand, the REST endpoint offers HTTPS and support for signed URLs, while the web site endpoint doesn't.
为您的应用程序选择正确类型的端点(REST 或网站):
Choose the correct type of endpoint (REST or web site) for your application:
http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteEndpoints.html#WebsiteRestEndpointDiff
¹s3-external-1.amazonaws.com 已被引用 作为北弗吉尼亚端点",而不是全球端点"s3.amazonaws.com.如果使用s3-external-1"主机名,非正式地可以在该区域中的新对象上获得先读后写一致性,因为这会将您发送到可以提供该功能的可能物理端点的子集.此行为现在在此端点上得到正式支持,因此这可能是许多应用程序中更好的选择.之前,s3-external-2 已被引用 作为美国标准的太平洋西北端点",尽管它现在是 s3-external-1 的 DNS 中的 CNAME,所以出现 s3-external-2除了向后兼容之外没有其他用途.
¹ s3-external-1.amazonaws.com has been referred to as the "Northern Virginia endpoint," in contrast to the "Global endpoint" s3.amazonaws.com. It was unofficially possible to get read-after-write consistency on new objects in this region if the "s3-external-1" hostname was used, because this would send you to a subset of possible physical endpoints that could provide that functionality. This behavior is now officially supported on this endpoint, so this is probably the better choice in many applications. Previously, s3-external-2 had been referred to as the "Pacific Northwest endpoint" for US-Standard, though it is now a CNAME in DNS for s3-external-1 so s3-external-2 appears to have no purpose except backwards-compatibility.
这篇关于公共 Amazon S3 存储桶的 URL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
