随着博托库,我能避免在S3基地水桶授予列表的权限? [英] With the boto library, can I avoid granting list permissions on a base bucket in S3?
问题描述
我现在有,有,像这样一个政策的IAM角色:
I currently have an IAM role that has a policy like so:
{
"Version":"2008-10-17",
"Statement": [
{
"Effect":"Allow",
"Action":["s3:ListBucket"],
"Resource":[
"arn:aws:s3:::blah.example.com"
]
},
{
"Effect":"Allow",
"Action":["s3:GetObject", "s3:GetObjectAcl", "s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl", "s3:DeleteObject"],
"Resource":[
"arn:aws:s3:::blah.example.com/prefix/"
]
}
]
}
博托似乎需要ListBucket权限是对桶做get_bucket调用的根present。如果我删除了第一个散列声明数组中,get_bucket('blah.example.com')将失败。这里的错误文本:
Boto seems to require the ListBucket permission be present on the root of the bucket to do the get_bucket call. If I remove the first hash in the Statement array, get_bucket('blah.example.com') will fail. Here's the error text:
*** S3ResponseError: S3ResponseError: 403 Forbidden
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>xxxx</RequestId><HostId>yyyy</HostId></Error>
有没有什么办法来限制桶的上市在一定preFIX(如preFIX /),而仍然使用博托?
Is there any way to restrict listing of the bucket to a certain prefix (e.g. "prefix/") while still using boto?
更新
为了使一切工作正常,我用了以下策略:
In order to get everything working, I used the following policy:
{
"Version":"2008-10-17",
"Statement": [
{
"Effect":"Allow",
"Action":["s3:ListBucket"],
"Resource":[
"arn:aws:s3:::blah.example.com"
],
"Condition":{
"StringLike":{
"s3:prefix":"prefix/*"
}
}
},
{
"Effect":"Allow",
"Action":["s3:GetObject", "s3:GetObjectAcl", "s3:PutObject", "s3:PutObjectAcl", "s3:DeleteObject"],
"Resource":[
"arn:aws:s3:::blah.example.com/prefix/*"
]
}
]
}
您仍然需要使用验证=假
参数添加到 get_bucket
的方法,但它允许范围内上市preFIX。
You still have to use the validate=False
parameter to the get_bucket
method, but it allows listing within the prefix.
推荐答案
在默认情况下博托试图做的水桶一个列表操作,要求零的结果来验证桶的存在。如果你想preFER,它跳过此验证步骤,只需要调用它是这样的:
By default boto tries to validate the existence of a bucket by doing a LIST operation on the bucket, asking for zero results. If you would prefer that it skip this validation step, just call it like this:
>>> import boto
>>> s3 = boto.connect_s3()
>>> bucket = s3.get_bucket('mybucket', validate=False)
这应该跳过列表操作。
这篇关于随着博托库,我能避免在S3基地水桶授予列表的权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!