访问被拒绝上传到S3 [英] Access Denied upload to s3

问题描述

我试着上传到S3，当我看到日志的S3存储日志这是这样说的：

I tried uploading to s3 and when I see the logs from the s3 bucket logs this is what it says:

mybucket-me [17/Oct/2013:08:18:57 +0000] 120.28.112.39 
arn:aws:sts::778671367984:federated-user/dean@player.com BB3AA9C408C0D26F 
REST.POST.BUCKET avatars/dean%2540player.com/4.png "POST / HTTP/1.1" 403 
AccessDenied 231 - 132 - "http://localhost:8080/ajaxupload/test.html" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.52 Safari/537.17" -

我拒绝访问。从哪里它的指向我想我错过了唯一的事就是加入斗政策。所以在这里不用。

I got an access denied. From where it's pointing I think the only thing that I'm missing out is adding of bucket policy. So here goes.

使用我的电子邮件，我可以在我的应用程序日志和上传头像。在这里我想把我的头像斗的名字是mybucket，我和它有一个分斗命名的化身。

Using my email I could log in to my app and upload an avatar. The bucket name where I want to put my avatar is mybucket-me and in that it has a sub bucket named avatars.

-mybucket-me
 -avatars
  -dean@player.com //dynamic based on who are logged in
   -myavatar.png //image uploaded

如何添加一个水桶政策，这样我就可以授予联合比如我上传的S3 的或什么是正确的说法，我将增加在我的水桶政策，以便它可以给予我上传到我们的水桶权限？的

推荐答案

您可以将以下策略来斗：

You can attach the following policy to the bucket:

{
    "Version": "2008-10-17",
    "Id": "Policy1358656005371",
    "Statement": [
        {
            "Sid": "Stmt1354655992561",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:sts::778671367984:federated-user/dean@player.com"                  
                ]
            },
            "Action": [
                "s3:List*",
                "s3:Get*"
            ],
            "Resource": [
                "arn:aws:s3:::my.bucket",
                "arn:aws:s3:::my.bucket/*"
            ]
        }
    ]
}

授予联盟用户dean@player.com只读权限为my.bucket。

to grant the federated user dean@player.com read-only permissions to 'my.bucket'.

这政策不是很维护，因为特别是它的名字这个用户。为了让只能访问某些联盟用户更可扩展的方式，它会当你调用GetFederationToken更好地做到这一点。如果您发布STS code，我可以帮你分配政策的存在，但它非常类似于上面。

This policy is not very maintainable because it names this user in particular. To give access to only certain federated users in a more scalable way, it would be better to do this when you call GetFederationToken. If you post your STS code I can help you assigning the policy there, but it is very similar to the above.

这篇关于访问被拒绝上传到S3的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！