随着博托库，我能避免在S3基地水桶授予列表的权限？ [英] With the boto library, can I avoid granting list permissions on a base bucket in S3?

问题描述

我现在有，有，像这样一个政策的IAM角色：

I currently have an IAM role that has a policy like so:

{
  "Version":"2008-10-17",
  "Statement": [
  {
    "Effect":"Allow",
    "Action":["s3:ListBucket"],
    "Resource":[
      "arn:aws:s3:::blah.example.com"
    ]
  },
  {
    "Effect":"Allow",
    "Action":["s3:GetObject", "s3:GetObjectAcl", "s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl", "s3:DeleteObject"],
    "Resource":[
      "arn:aws:s3:::blah.example.com/prefix/"
    ]
  }
  ]
}

博托似乎需要ListBucket权限是对桶做get_bucket调用的根present。如果我删除了第一个散列声明数组中，get_bucket（'blah.example.com'）将失败。这里的错误文本：

Boto seems to require the ListBucket permission be present on the root of the bucket to do the get_bucket call. If I remove the first hash in the Statement array, get_bucket('blah.example.com') will fail. Here's the error text:

*** S3ResponseError: S3ResponseError: 403 Forbidden
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>xxxx</RequestId><HostId>yyyy</HostId></Error>

有没有什么办法来限制桶的上市在一定preFIX（如preFIX /），而仍然使用博托？

Is there any way to restrict listing of the bucket to a certain prefix (e.g. "prefix/") while still using boto?

更新

为了使一切工作正常，我用了以下策略：

In order to get everything working, I used the following policy:

{
  "Version":"2008-10-17",
  "Statement": [
  {
    "Effect":"Allow",
    "Action":["s3:ListBucket"],
    "Resource":[
      "arn:aws:s3:::blah.example.com"
    ],
    "Condition":{
      "StringLike":{
         "s3:prefix":"prefix/*"
      }
    }
  },
  {
    "Effect":"Allow",
    "Action":["s3:GetObject", "s3:GetObjectAcl", "s3:PutObject", "s3:PutObjectAcl", "s3:DeleteObject"],
    "Resource":[
      "arn:aws:s3:::blah.example.com/prefix/*"
    ]
  }
  ]
}

您仍然需要使用验证=假参数添加到 get_bucket 的方法，但它允许范围内上市preFIX。

You still have to use the validate=False parameter to the get_bucket method, but it allows listing within the prefix.

推荐答案

在默认情况下博托试图做的水桶一个列表操作，要求零的结果来验证桶的存在。如果你想preFER，它跳过此验证步骤，只需要调用它是这样的：

By default boto tries to validate the existence of a bucket by doing a LIST operation on the bucket, asking for zero results. If you would prefer that it skip this validation step, just call it like this:

>>> import boto
>>> s3 = boto.connect_s3()
>>> bucket = s3.get_bucket('mybucket', validate=False)

这应该跳过列表操作。

这篇关于随着博托库，我能避免在S3基地水桶授予列表的权限？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！