限制水桶列出特定用户 [英] Restrict List of Buckets for a Specific User

问题描述

我已经能够生成用户策略，只允许访问特定的水桶，但乱投医（包括这篇文章后：<一href="http://stackoverflow.com/questions/6615168/s3-policy-limiting-access-to-only-one-bucket-listing-included">S3政策限制只能访问一个桶（清单包括））。

I've been able to generate a user policy that only gives access to a specific bucket, however after trying everything (including this post: S3 policy limiting access to only one bucket (listing included)).

的问题：我无法限制桶的清单的只剩下一个桶。由于各种原因，我不想上市，显示比指定的其他任何桶。

The problem: I am unable to restrict the listing of the buckets down to just one bucket. For a variety of reasons, I do not want the listing to show any buckets other than the one specified.

我已经尝试了各种政策，都无济于事。这里是我的最新政策JSON这是工作尽可能限制操作，但不上市：

I've tried a variety of policies, to no avail. Here's my latest policy JSON which is working as far as restricting operations, but not listing:

{
    "Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:ListAllMyBuckets",
            "s3:ListBucket",
            "s3:GetBucketLocation"
        ],
        "Resource": "arn:aws:s3:::*"
    },
    {
        "Effect": "Deny",
        "Action": [
            "s3:ListBucket"
        ],
        "NotResource": [
            "arn:aws:s3:::acgbu-acg",
            "arn:aws:s3:::acgbu-acg/*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::acgbu-acg",
            "arn:aws:s3:::acgbu-acg/*"
        ]
    }
]
}

任何帮助将是很大的AP preciated。我开始怀疑，如果它甚至有可能。

Any help would be greatly appreciated. I'm beginning to wonder if it's even possible.

推荐答案

这是目前无法限制桶的清单只显示一个桶。

It is not currently possible to restrict the list of buckets to show only one bucket.

在AWS控制台依赖于 ListAllMyBuckets 的行动来获得用户拥有的水桶名单，但返回的列表无法通过使用亚马逊资源名称（限。或ARN;这是允许 ListAllMyBuckets 唯一的ARN是 ARN：AWS：S3 ::: * ）

The AWS console relies on the ListAllMyBuckets action to get the list of buckets owned by the user, but the returned list can not be restricted by using an Amazon Resource Name (or ARN; the only ARN that's allowed for ListAllMyBuckets is arn:aws:s3:::*).

这限制没有明确的官方AWS文档说明，但 ListAllMyBuckets 是一个服务级别API调用（它也被称为REST API中得到服务），不桶的水平API调用及其相关的ARN在IAM策略指的S3服务中的不特定的水桶。

This limitation isn't clearly explained in the official AWS docs, but ListAllMyBuckets is a service level API call (it's also called GET Service in the REST API), not a bucket level API call and its associated ARN in the IAM policy refers to the S3 service an not to a specific bucket.

有关可能的解决方法，请参见的计算器这个答案：

For possible workarounds, see this answer on StackOverflow:

这篇关于限制水桶列出特定用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！