我试图将IAM用户的访问权限限制为仅3个bucket。我正在AWS上创建一个IAM策略,使IAM用户能够在AWS S3上同步文件。我已经编写了以下策略,但每次我运行aws sync命令,将桌面上的文件夹与策略允许访问的bucket同步时,终端似乎都会在没有输出任何响应或完成过程的情况下陷入困境。关于同一个可能缺少哪些权限,有什么想法吗?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::bucket-1",
"arn:aws:s3:::bucket-2",
"arn:aws:s3:::bucket-3"
]
}
]
}
一些S3命令需要bucket级别的权限,而其他命令则需要对象级别的权限。
解决此问题的最简单方法是同时指定两者。
试试这个:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::bucket-1",
"arn:aws:s3:::bucket-2",
"arn:aws:s3:::bucket-3",
"arn:aws:s3:::bucket-1/*",
"arn:aws:s3:::bucket-2/*",
"arn:aws:s3:::bucket-3/*"
]
}
]
}
我不确定您是在尝试编写IAM策略还是bucket策略?如果以后。无论哪种情况,您都缺少对象级别的权限。对于bucketbucket策略,您也缺少主体。
您还可以为对象或bucket分离语句。以下是bucket策略的示例:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxx:user/a_user"
},
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::bucket-1",
"arn:aws:s3:::bucket-2",
"arn:aws:s3:::bucket-3"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxx:user/a_user"
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::bucket-1/*",
"arn:aws:s3:::bucket-2/*",
"arn:aws:s3:::bucket-3/*"
]
}
]
}