Amazon S3的JSON文件 - 访问被拒绝 [英] Amazon S3 JSON File - Access Denied

问题描述

我有角的SPA应用程序，并启用了写入到JSON文件通过启用放在CORS配置。

I have an SPA application in Angular and have enabled write to JSON files by enabling PUT in the CORS Config.

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

我可以创建通过把一个JSON文件，然后做一个能看到我所创建的文件，从浏览器窗口。然而，通过下载的在线S3控制台或莓创建的JSON文件时，我得到一个拒绝访问即使我使用的密钥根帐户。该错误信息是这样的：

I can create a JSON file via PUT and then do a GET to see the file I have created, from the browser window. However, when downloading the created JSON file via the Online S3 console or CloudBerry, I get an "access denied" even though I am using the root account with the secret key. The error message looks like this:

<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>876213549363694A</RequestId>
<HostId>
ePMtRfoLm7zUrjYwSG6aIWIBeIwWI0Ajiq+LSUqylKofhdIIbSm5LfncoS0ZvxcC
</HostId>
</Error>

pciated！任何建议多AP $ P $

Any suggestions much appreciated!!

推荐答案

S3的许可制度是有点的有趣。 S3跟踪所有权信息水桶对象和水桶本身 - 对象可以有不同的所有者比他们属于桶，如果业主是不同的，你必须有权限从他们两个人访问该对象 - 即使你'重新铲斗的主人！

S3's permission system is a bit interesting. S3 tracks ownership information for objects in buckets as well as buckets themselves - objects CAN have a different owner than the bucket they belong to, and if the owners are different you must have permission from BOTH of them to access the object - even if you're the owner of the bucket!

您所上传的对象匿名，所以，物体就会由匿名用户拥有。你（铲斗的所有者）已准许匿名用户从您的水桶读取的对象，并且该对象是由匿名用户拥有的，因此未认证的GET呼叫工作。但是，谁执行的上传匿名用户还没有给你（桶所有者）的权限读取的对象，所以调用使用您的凭据被拒绝认证......光怪陆离。

You're uploading the object anonymously, so the object ends up owned by the anonymous user. You (the owner of the bucket) have given permission for the anonymous user to read objects from your bucket, and the object is owned by the anonymous user, so unauthenticated GET calls work. However, the anonymous user who performed the upload has NOT given you (the bucket owner) permission to read the object, so calls authenticated using your credentials are rejected... Bizarre.

最快捷的方式摆脱这种局面，包括了X-AMZ-ACL：水桶业主完全控制头在你的PUT请求。这将授予斗（你）完全控制读取，写入或删除即使它仍然是拥有匿名用户对象的所有者。您可能需要考虑使在桶政策所有的匿名PUT请求需要此头作为记录<一个href="http://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#grant-putobject-conditionally-1"相对=nofollow>这里。

The quickest way out of this situation is to include an "x-amz-acl: bucket-owner-full-control" header on your PUT request. This grants the owner of the bucket (you) full control to read, write, or delete the object even though it's still "owned" by the anonymous user. You may want to consider making this header required on all anonymous PUT requests in the bucket policy as documented here.

添加一个例子：

$http.put("/path", jsonData, {
                    headers: { 'x-amz-acl': 'bucket-owner-full-control' }
                    }
);

这篇关于Amazon S3的JSON文件 - 访问被拒绝的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！