我正在使用LocalStack学习AWS,目前正在IAM用户和S3存储桶的上下文中学习IAM策略,我专注于使用AWS CLI。
我试图创建一个策略来拒绝特定用户对S3的所有访问:
{
"comment": "s3-deny-stanley.json",
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3:*",
"Principal": { "AWS": "arn:aws:iam::000000000000:user/stanley" },
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
以下是斯坦利的简介:
$ aws --profile=admin_cred --endpoint-url=http://localhost:4593 iam get-user --user-name stanley
{
"User": {
"Path": "/",
"UserName": "stanley",
"UserId": "mnxybnqil4uugewvlq7x",
"Arn": "arn:aws:iam::000000000000:user/stanley",
"CreateDate": "2020-05-01T20:01:30.932000+00:00"
}
}
我是这样应用政策的:
$ aws --profile=admin_cred --endpoint-url=http://localhost:4572 s3api put-bucket-policy --bucket my-bucket --policy file://s3-deny-stanley.json
$
我在我的bucket中添加了一个文件,如下所示:
$ cat << EOF > foo.txt
> hello, world!
> EOF
$
$ aws --profile=admin_cred --endpoint-url=http://localhost:4572 s3 cp ./foo.txt s3://my-bucket/foo.txt
upload: ./foo.txt to s3://my-bucket/foo.txt
现在我试图以stanley的身份访问该文件,但事与愿违,他似乎能够:
$ aws --profile=stanley --endpoint-url=http://localhost:4572 s3 ls s3://my-bucket/
2020-05-01 14:33:03 14 foo.txt
$ aws --profile=stanley --endpoint-url=http://localhost:4572 s3 cp s3://my-bucket/foo.txt ./foo2.txt
download: s3://my-bucket/foo.txt to ./foo2.txt
$
有人能指出我在上面尝试将s3拒绝stanley政策应用于我的bucket时出了什么问题吗
(向斯坦利道歉(
更新:
我检查了该策略的附件,如下所示:
$ aws --profile=admin_cred --endpoint-url=http://localhost:4572 s3api get-bucket-policy --bucket my-bucket
{
"Policy": "{n "comment": "s3-deny-stanley.json",n "Version": "2012-10-17",n "Statement": [n {n "Effect": "Deny",n "Action": "s3:*",n "Principal": { "AWS": "arn:aws:iam::000000000000:user/stanley" },n "Resource": "arn:aws:s3:::my-bucket/*"n }n ]n}nn"
}
更新:
更新策略以删除"注释",如下所示:
$ cat ./s3-deny-stanley.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3:*",
"Principal": { "AWS": "arn:aws:iam::000000000000:user/stanley" },
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
出于谨慎,我删除了我原来的bucket,重新创建了它,对它应用了更新的策略,并重复了stanley的访问尝试:结果与最初描述的完全相同。
无法再现OP在AWS上描述的行为。我给了stanley管理员权限,并获得了以下
$ aws s3 cp s3://bucketname/key . --profile stanley
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
所以我认为这是一个localstack错误。