限制特定用户的桶列表 [英] Restrict List of Buckets for a Specific User

问题描述

我已经能够生成一个只允许访问特定存储桶的用户策略，但是在尝试了一切之后(包括这篇文章:是否有 S3 策略将访问权限限制为只能查看/访问一个存储桶?).

I've been able to generate a user policy that only gives access to a specific bucket, however after trying everything (including this post: Is there an S3 policy for limiting access to only see/access one bucket?).

问题:我无法将存储桶的列表限制为仅一个存储桶.出于各种原因，我不希望列表中显示除指定的桶之外的任何桶.

The problem: I am unable to restrict the listing of the buckets down to just one bucket. For a variety of reasons, I do not want the listing to show any buckets other than the one specified.

我尝试了各种策略，但都无济于事.这是我的最新政策 JSON，它在限制操作方面起作用，但未列出:

I've tried a variety of policies, to no avail. Here's my latest policy JSON which is working as far as restricting operations, but not listing:

{
    "Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:ListAllMyBuckets",
            "s3:ListBucket",
            "s3:GetBucketLocation"
        ],
        "Resource": "arn:aws:s3:::*"
    },
    {
        "Effect": "Deny",
        "Action": [
            "s3:ListBucket"
        ],
        "NotResource": [
            "arn:aws:s3:::acgbu-acg",
            "arn:aws:s3:::acgbu-acg/*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::acgbu-acg",
            "arn:aws:s3:::acgbu-acg/*"
        ]
    }
]
}

任何帮助将不胜感激.我开始怀疑这是否可能.

Any help would be greatly appreciated. I'm beginning to wonder if it's even possible.

推荐答案

目前无法将存储区列表限制为仅显示一个存储区.

It is not currently possible to restrict the list of buckets to show only one bucket.

AWS 控制台依赖 ListAllMyBuckets 操作来获取用户拥有的存储桶列表，但不能使用 Amazon 资源名称(或 ARN；唯一的 ARN)限制返回的列表ListAllMyBuckets 允许的是 arn:aws:s3:::*).

The AWS console relies on the ListAllMyBuckets action to get the list of buckets owned by the user, but the returned list can not be restricted by using an Amazon Resource Name (or ARN; the only ARN that's allowed for ListAllMyBuckets is arn:aws:s3:::*).

AWS 官方文档中没有明确解释此限制，但 ListAllMyBuckets 是服务级别 API 调用(在 REST API 中也称为 GET 服务)，而不是存储桶级别 API 调用和它在 IAM 策略中的关联 ARN 指的是 S3 服务，而不是特定的存储桶.

This limitation isn't clearly explained in the official AWS docs, but ListAllMyBuckets is a service level API call (it's also called GET Service in the REST API), not a bucket level API call and its associated ARN in the IAM policy refers to the S3 service an not to a specific bucket.

有关可能的解决方法，请参阅 StackOverflow 上的此答案:

For possible workarounds, see this answer on StackOverflow:

这篇关于限制特定用户的桶列表的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！