问题指定在一个简单的AWS用户策略单个桶 [英] Problems specifying a single bucket in a simple AWS user policy
问题描述
我使用AWS IAM STS(通过博托)创建为我的访问的S3存储凭据。我茫然,什么是错在下面的政策。我已经简化我的政策下尽可能多地和我仍然得到意想不到的效果。
当我得到的令牌附上以下策略的用户:
user_policy_string = R'{声明:[{效果:允许,行动:S3:*,资源:ARN:AWS: S3 ::: *}]}'
这工作,但显然是有点过于宽松。在缩小与这些凭据关联的权限我尝试使用相同的策略,但指定斗:
user_policy_string = R'{声明:[{效果:允许,行动:S3:*,资源:ARN:AWS: S3 ::: buck_binary_bucket_bay地球-D5A / *}]}
在这里,我得到403错误,当我尝试访问S3。基于AWS的文档我敢肯定,这是对的方式来解决该政策在一个特定的水桶,所以我很茫然,什么可能会造成这个限制。难道我指的是斗不正确?
在S3控制台,该政策为空(曾尝试加入一个完全放任的政策以及)。对于用于生成STS令牌的AWS账户,该政策如下:
声明:
{
效果:允许,
行动:STS:GetFederationToken
资源:*
},
{
效果:允许,
行动:IAM:的getUser
资源:*
},
{
效果:允许,
行动:S3:*,
资源:*
}
]
}
在这里,我得到403错误,当我尝试访问S3。
你如何真正的尝试访问S3 的,即通过该工具,服务,API?
很多时候,一个用例涉及S3 API调用处理不同的资源类型以及除资源已经由政策目标。具体而言,你需要知道的服务(如操作之间的差异<一个href="http://docs.amazonwebservices.com/AmazonS3/2006-03-01/API/SOAPListAllMyBuckets.html">ListAllMyBuckets), 操作上斗(如的 ListBucket )和操作上对象(如<一个href="http://docs.amazonwebservices.com/AmazonS3/2006-03-01/API/SOAPGetObject.html">GetObject).
如果您的S3访问方法隐式使用其他任何资源类型以及(即除对象资源要通过 buck_binary_bucket_bay地球-D5A / * 已解决),这些需要相应的附加相应的政策。例如,能够通过的 ListBucket 的列出桶中的对象访问对象之前的共同要求本身就需要相应的政策片段处理,像这样的斗:
声明:[{
效果:允许,
行动:S3:ListBucket
资源:ARN:AWS:S3 ::: buck_binary_bucket_bay地球-D5A
}
]
I'm using AWS IAM STS (via boto) to create credentials for my accessing an S3 bucket. I'm at a loss as to what's wrong in the following policy. I've simplified my policy down as much as possible and am still getting unexpected results.
When I get the token for the user I attach the following policy:
user_policy_string = r'{"Statement":[{"Effect":"Allow","Action": "s3:*","Resource":"arn:aws:s3:::*"}]}'
This works, but is obviously a little too permissive. In narrowing down the permissions associated with these credentials I attempt to use the same policy, but specify the bucket:
user_policy_string = r'{"Statement":[{"Effect":"Allow","Action": "s3:*","Resource":"arn:aws:s3:::buck_binary_bucket_bay-earth-d5a/*"}]}'
Here I get 403 errors when I try to access S3. Based on the AWS docs I'm sure this is the way to address a specific bucket in the policy, so I'm at a loss as to what could be causing this restriction. Am I referring to the bucket incorrectly?
In the S3 console, the policy is empty (have tried adding a totally permissive policy as well). For the AWS account used to generate the STS tokens, the policy is as follows:
"Statement": [
{
"Effect": "Allow",
"Action": "sts:GetFederationToken",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:GetUser",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
Here I get 403 errors when I try to access S3.
How do you actually try to access S3, i.e. by means of which tool, service, API?
Quite often a use case involves S3 API calls addressing a different resource types as well besides the Resource targeted by the policy already. Specifically, you'll need to be aware of the difference between Operations on the Service (e.g. ListAllMyBuckets), Operations on Buckets (e.g. ListBucket) and Operations on Objects (e.g. GetObject).
If your S3 access method implicitly uses any other resource types as well (i.e. besides the object resources you are already addressing via buck_binary_bucket_bay-earth-d5a/*), these require respective additional policies accordingly. For example, the common requirement of being able to list the objects in the bucket via ListBucket before accessing the objects themselves would require a respective policy fragment addressing the bucket like so:
"Statement":[{
"Effect":"Allow",
"Action":"s3:ListBucket",
"Resource":"arn:aws:s3:::buck_binary_bucket_bay-earth-d5a",
}
]
这篇关于问题指定在一个简单的AWS用户策略单个桶的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
