无法下载通过共享帐户S3桶上传的文件 [英] Can't download files uploaded by shared account s3 bucket
问题描述
我建立了Amazon S3和补充桶政策给其他用户帐户访问文件上传到它一斗。我增加了以下桶政策。
不过,我现在自己无法下载的共享者上传的文件。我想我没有带他们给ACL权限。我应该如何处理下载的文件。他们可以从他们的最终准许他们上传的文件?
{
版本:2008-10-17,
ID:Policyxxxxxxxxxxxx
声明: [
{
锡德:Stmtxxxxxxxxxxxxx
效果:允许,
主要: {
AWS:ARN:AWS:IAM ::< ACCOUNT_NUMBER>:根
},
行动: [
S3:AbortMultipartUpload
S3:GetObject的,
S3:ListMultipartUploadParts
S3:PutObject
]
资源:ARN:AWS:S3 :::< bucket_name> / *
},
{
锡德:Stmtxxxxxxxxxxx
效果:允许,
主要: {
AWS:ARN:AWS:IAM ::< ACCOUNT_NUMBER>:根
},
行动: [
S3:PutBucketLogging
S3:PutBucketNotification
S3:ListBucket
]
资源:ARN:AWS:S3 :::< bucket_name>中
}
]
}
所以,问题是,Amazon S3的桶桶适用的政策,只能由斗所有者拥有的对象。所以,如果你是水桶业主又给把对象权限通过意味着你还需要确保他们的对象上载过程中给你斗的许可政策。虽然授予跨帐户权限上传事物,可以限制其自带的只有只读权限的对象。
来源:的http://docs.aws.amazon.com/AmazonS3/latest/dev/AccessPolicyLanguage_UseCases_s3_a.html 相关讨论: https://forums.aws.amazon.com /thread.jspa?messageID=524342&%20#524342 举例斗政策:
{
版本:2012年10月17日,
声明:[
{
西特:111,
效果:允许,
主要:{
AWS:1111111111
},
行动:S3:PutObject
资源:ARN:AWS:S3 ::: examplebucket / *
},
{
锡德:112,
效果:拒绝,
主要:{
AWS:1111111111
},
行动:S3:PutObject
资源:ARN:AWS:S3 ::: examplebucket / *,
条件:{
StringNotEquals:{
S3:X-AMZ-赠款完全控制:
emailAddress=xyz@amazon.com
]
}
}
}
]
}
I have created a bucket on amazon s3 and added bucket policy giving another user account access to upload files to it. I added the following bucket policy.
However, now I am myself unable to download the files uploaded by the sharer. I guess I havn't given them acl rights. How should I proceed to download the files. Can they grant permission from their end for their uploaded files?
{
"Version": "2008-10-17",
"Id": "Policyxxxxxxxxxxxx",
"Statement": [
{
"Sid": "Stmtxxxxxxxxxxxxx",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_number>:root"
},
"Action": [
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<bucket_name>/*"
},
{
"Sid": "Stmtxxxxxxxxxxx",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_number>:root"
},
"Action": [
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::<bucket_name>"
}
]
}
So the problem is that the amazon s3 bucket applies bucket policy to only objects owned by bucket owner. So if you are the bucket owner and gave put object permission through bucket policy that mean you also need to make sure they give you permission during the object upload. While granting cross-account permissions to upload objects one can restrict only objects which comes with read permission only.
Source: http://docs.aws.amazon.com/AmazonS3/latest/dev/AccessPolicyLanguage_UseCases_s3_a.html Related discussion : https://forums.aws.amazon.com/thread.jspa?messageID=524342&%20#524342 Example bucket policy :
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"111",
"Effect":"Allow",
"Principal":{
"AWS":"1111111111"
},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::examplebucket/*"
},
{
"Sid":"112",
"Effect":"Deny",
"Principal":{
"AWS":"1111111111"
},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::examplebucket/*",
"Condition":{
"StringNotEquals":{
"s3:x-amz-grant-full-control":[
"emailAddress=xyz@amazon.com"
]
}
}
}
]
}
这篇关于无法下载通过共享帐户S3桶上传的文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
