I need an Amazon S3 user with full access to a sin

2019-01-17 10:11发布

站内文章 / 前沿技术
68 0 0

问题:

I have a user foo with the following privileges (it's not a member of any group):

{
  "Statement": [
    {
      "Sid": "Stmt1308813201865",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bar"
    }
  ]
}

That user however seem unable to upload or do much of anything until I grant full access to authenticated users (which might apply to anyone). This still doesn't let the user change permission as boto is throwing an error after an upload when it tries to do do key.set_acl('public-read').

Ideally this user would have full access to the bar bucket and nothing else, what am I doing wrong?

回答1:

You need to grant s3:ListBucket permission to the bucket itself. Try the policy below.

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "S3:*",
      "Resource": "arn:aws:s3:::bar/*",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::bar",
      "Condition": {}
    }
  ]
}


回答2:

The selected answer didn't work for me, but this one did:

{
  "Statement": [
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    }
  ],
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

Credit: http://mikeferrier.com/2011/10/27/granting-access-to-a-single-s3-bucket-using-amazon-iam/



回答3:

Are you aware of the AWS Policy Generator?



回答4:

There is an official AWS documentation at Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket

Just copy and paste the appropriate rule and change the "Resource" key to your bucket's ARN in all Statements.

For programamtic access the policy should be:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["s3:ListBucket"],
            "Resource": ["arn:aws:s3:::bar"]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:DeleteObject"
            ],
            "Resource": ["arn:aws:s3:::bar/*"]
        }
    ]
}

And for console access access should be:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "arn:aws:s3:::bar*"
        },
        {
            "Effect": "Allow",
            "Action": ["s3:ListBucket"],
            "Resource": ["arn:aws:s3:::bar"]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:DeleteObject"
            ],
            "Resource": ["arn:aws:s3:::bar/*"]
        }
    ]
}


回答5:

That works for me: 

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:ListBucketMultipartUploads",
                "s3:ListBucketVersions"
            ],
            "Resource": "arn:aws:s3:::bucket_name_here"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*Object*",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload"
            ],
            "Resource": "arn:aws:s3:::bucket_name_here/*"
        }
    ]
}


回答6:

If you've been pulling your hair out because you cannot figure out why Cyberduck is not being able to set object ACLs but it works with another client (like Panic Transmit) here is the solution:

You need to add s3:GetBucketAcl to your Action list, eg:

{
    "Statement": [
        {
            "Sid": "Stmt1",
            "Action": [
                "s3:GetBucketAcl",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::your-bucket-name"
        }
    ]
}

Of course you don't need to do this if you are less restrictive with s3:* but I think this is good to know.



回答7:

@cloudberryman's answer is correct but I like to make things as short as possible. This answer can be reduced to:

{  
   "Statement":[  
      {  
         "Effect":"Allow",
         "Action":"S3:*",
         "Resource":[  
            "arn:aws:s3:::bar",
            "arn:aws:s3:::bar/*"
         ]
      }
   ]
}


标签: amazon-s3 amazon-web-services user-permissions amazon-iam
举报

收藏的人(0)

Ta的文章 更多文章
登录 后发表评论
0条评论
还没有人评论过~