为Amazon S3编写IAM策略和CORS配置 [英] Writing an IAM policy and CORS configuration for Amazon S3
问题描述
我对所有这些都很新,但是能够得到一个头像/图像上传工作在我的Rails应用程序。用户可以将新的化身上传到我的S3桶,并且化身在web应用内显示。
I am very new to all this but have been able to get an avatar/image uploader to work in my Rails application. A user can upload a new avatar to my S3 bucket and the avatar shows within the web application.
为此,我不得不向用户授予AmazonS3FullAccess策略。这似乎有点太多了,因为用户从应用程序只需要写(上传他的头像)和阅读(显示网页上的头像)权限。
To this end, I've had to grant "AmazonS3FullAccess" policy to the user. That seems like a bit too much, since the user from the application only needs write (upload his avatar) and read (show the avatar on the web page) permission.
您是否同意编写自订政策而不使用AmazonS3FullAccess?
如果是这样,我已经尝试了策略代码(从这里),但这没有工作(403尝试上传头像图像时出现禁止错误)。有任何建议如何更正此代码?
Would you agree that it is therefore better to write a custom policy rather than use AmazonS3FullAccess? If so, I've tried the policy code (adopted from here) below but this didn't work (403 Forbidden error when trying to upload an avatar image). Any suggestions how to correct this code?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::mybucket"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::mybucket/*"]
}
]
}
推荐答案
我长得白头发想弄清楚正确的配置。这里有一个为我工作:
I've grown white hair trying to figure out the proper configuration. Here's one that's working for me:
{
"Statement": [
{
"Sid": "AllowPublicRead",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket"
]
}
]
}
此政策应附加到适当的实体(附加实体标签),可以是专用用户。如果您需要API /访问密钥,请转到该用户的安全凭证选项卡并生成一些。
This policy should be attached to the proper entity ("Attached entity tab"), which can be a dedicated User. If you need API/Access keys, head to the "Security Credentials" tab for that user and generate some. This allows you more control over who's using that policy.
您还可以编辑此政策以允许匿名访问,通过指定Principal:*@therealprashant建议在评论中,请参阅
You can also edit this policy to allow anonymous access by specifying "Principal":"*" as suggested by @therealprashant in the comments, see the docs for more infos.
但您还需要设置您的CORS配置。
打开 S3控制台,点击您的存储桶,显示其属性(右面板),然后点击权限,即可编辑配置。
But you also need to set your CORS configuration. Open the S3 console, click on your bucket, show its Properties (right panel) and click on Permissions, you'll be able to edit the configuration.
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>http://*.example.com</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
<CORSRule>
<AllowedOrigin>http://example.com</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
根据需要添加多个CORSRule,特别是如果您还需要https。
Add as many CORSRule as you need, especially if you need https as well.
希望会有所帮助。
编辑
这是我实际使用的修改版本。
Here's the modified version I'm actually using nowadays.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket"
]
}
]
}
注意:在连接到IAM用户,组或角色的IAM策略中,principal可以省略(如我在此处)。在授权期间,主体被评估为策略附加到的实体。
Note: "principal" can be omitted (like I did here) in IAM policies that are attached to an IAM user, group, or role. During authorization, "principal" is evaluated to be the entity that the policy is attached to.
这篇关于为Amazon S3编写IAM策略和CORS配置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
