我如何限制访问S3键在一个特定的preFIX？ （在Python /博托） [英] How do I limit access to S3 keys in a specific prefix? (In Python/boto)

问题描述

我想一个博托程序限制能够列出键和得到的S3存储桶只能从特定的文件夹键（preFIX）。

I want to limit a boto program to being able to list keys and get keys only from a specific folder (prefix) in an S3 bucket.

我有以下访问策略的IAM角色（当然要使用实名，）。这是在IAM文档为如何让用户访问主目录的例子政策的变化：

I have an IAM role with the following access policy (with real names, of course). This is a variation on the example policy in the IAM docs for how to allow users to access a "home directory":

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": ["s3:Get*", "s3:List*"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::my-bucket"],
      "Condition":{"StringLike":{"s3:prefix":["my-prefix/*"]}}
    },
    {
       "Action":["s3:Get*", "s3:List*"],
       "Effect":"Allow",
       "Resource": ["arn:aws:s3:::my-bucket/my-prefix/*"]
    }
  ]
}

在博托，我连接到​​S3，并得到临时creds。然后我跑这样的：

In boto, I connect to S3 and get temp creds. Then I run this:

bucket = s3_connection.get_bucket('my-bucket')
all_keys = bucket.get_all_keys()
for key in all_keys:
    print key

这失败的 get_bucket 通话。我可以得到它的工作至今的唯一方法是删除 S3：preFIX 的条件（基本上，删除策略中的第一条语句）。但是，这则允许脚本从整个斗，不只是那些与特定的preFIX列出键。我使用了错误的方法来获取密钥？所有S3访问似乎开始 get_bucket

This fails on the get_bucket call. The only way I can get it to work so far is to remove the s3:Prefix condition (basically, remove the first statement in the policy). But that then allows the script to list keys from the entire bucket, not just those with a specific prefix. Am I using the wrong approach to getting the keys? All S3 access seems to begin with get_bucket.

我的可以的制作使用AWS CLI这项工作，是这样的：

I can make this work using the AWS CLI, like this:

aws sts assume-role --role-arn arn:aws:iam::123456789012:role/my-role --role-session-name "role1" --profile other-account-admin-user > temp-creds.txt
# ... copy temp-creds into credentials file using profile name "temp-creds", then ...
# works
aws s3api list-objects --bucket my-bucket --prefix my-prefix/ --profile temp-creds 
# fails, as expected
aws s3api list-objects --bucket my-bucket --profile temp-creds 

这使我想到，有一种方法可以做到这一点的博托，我只是不明白。 （当然，有可能是在我的测试，这恰好相当多的缺陷，哈哈。）

This leads me to think that there's a way to do this in boto, and I just can't figure it out. (Of course, there might be flaws in my testing, which happens rather a lot, haha.)

推荐答案

在默认情况下，在博托在 get_bucket 方法试图验证桶是否存在执行<$在斗URL C $ C> HEAD 请求。我想这会在你的情况下不会失败，因为用户没有访问该叶片的根部。

By default, the get_bucket method in boto attempts to verify that the bucket exists by performing a HEAD request on the bucket URL. I think this will fail in your case since the user doesn't have access to the root of the bucket.

所以，我认为这样的事情会为你工作：

So, I think something like this will work for you:

bucket = s3_connection.get_bucket('my-bucket', validate=False)
for key in bucket.list(prefix='my-prefix'):
    print(key)

这篇关于我如何限制访问S3键在一个特定的preFIX？ （在Python /博托）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！