我想创建一个S3 bucket,任何人都可以获得对象,但只有iam用户可以上传对象。
我的遗愿政策是这样的。任何人都可以读取对象,但不能执行删除、列出、创建操作。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "*"
}
]
}
我附加了以下策略,以获得将对象上载到用户和组的权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1347416638923",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my_bucket/*" //fixed as @Marcin mentioned
}
]
}
问题是,这个用户可以列出对象,从javascript中删除对象。我们如何允许该用户只上传对象?
顺便说一下,我们使用Wasabi存储。
arn:aws:s3:::my_bucket是一个bucket,而不是对象。因此它应该是:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1347416638923",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my_bucket/*"
},
{
"Sid": "ExplityDeny",
"Effect": "Deny",
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::my_bucket/*"
},
{
"Sid": "ExplityDeny2",
"Effect": "Deny",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my_bucket"
}
]
}