Amazon S3 - How do I download objects owned by ano

2019-07-17 06:11发布

问题:

I have a sample web page that has allowed anonymous users to upload objects and create folders in my S3 bucket.

Unfortunately I had not set any specific bucket policies or ACLs before doing this.

Now I have the problem where an anonymous user has created a folder and uploaded objects which I (as the root user) cannot download or access. I plan to set up a new bucket policy before more users can upload objects, but right now I need access to these current objects owned by anonymous.

Can someone tell me how I can do this?

回答1:

By 'anonymous user', do you mean 'unauthenticated user'? If so, then you have two options (#1 and #2 below). If not, then you have one option (#1 below). All of this assumes, of course, that you cannot persuade the uploader himself to modify the ACLs on these objects.

  1. delete the objects. As the bucket owner, you can always delete objects (and stop paying for them).

  2. become the object owner and grant the bucket owner (you) full control. Anyone can be the unauthenticated user and hence the object owner.

Here is an example of how to do #2 for bkt/cat.jpg using node.js and the AWS JavaScript SDK. This code invokes putObjectAcl as the unauthenticated user and gives the bucket owner (you) full control over the object.

var aws = require('aws-sdk');
var s3 = new aws.S3();
var p = { Bucket: 'bkt', Key: 'cat.jpg', ACL: 'bucket-owner-full-control' };
s3.makeUnauthenticatedRequest('putObjectAcl', p, function(e,d) {
  if (e) console.log('err: ' + e);
  if (d) console.log('data: ' + d);
});

Unfortunately, the awscli does not appear to support unauthenticated S3 calls otherwise I would have proposed using that to modify the ACLs of the object.

Note that the canned ACL of bucket-owner-full-control gives both the object owner and the bucket owner full control.



回答2:

Take a look at the Policy on the Identity and Access Management (IAM) user you are using to access the AWS Management Console. If it has Administrator or Power User policy settings, then you will have full access to objects in all Amazon S3 buckets associated with your AWS Account.

You will need to access the objects through an authenticated method, such as the S3 Management Console.

If you are using the root user of your account, you will also have full access to your S3 buckets and their contents. It is not recommended that you use your root user on a daily basis because it has complete access to your account and it is dangerous if compromised -- instead, use the root account to create an administrative user in IAM, which can be more easily managed (eg changing permissions, rotating keys).

If you are still having difficulty viewing the objects, make sure they are being accessed by selecting the object and then choosing Open from the Actions menu. This creates an authenticated URL that will open the files. If you simply click the displayed link in the object properties window, it will use a URL that has no authentication and will likely fail.