当我对用户使用管理策略时,有人遇到过这种情况吗?它有效,但当我使用内联策略时,它说拒绝访问。我为IAM用户提供了对存储桶的读取访问权限,即它只能访问该存储桶。
管理策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "*"
}
]
}
内联策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "arn:aws:s3:::mybucketname/*"
}
]
}
我也试过这个
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3Permissions",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucketname/*",
"arn:aws:s3:::mybucketname"
]
}
]
}
您的最后一个策略应该可以用于直接访问存储桶,如中所述
- 如何授予用户仅访问某个存储桶或文件夹的AmazonS3控制台权限
对于控制台访问,需要额外的权限,如所示
- 编写IAM策略:如何授予对Amazon S3 Bucket的访问权限
具体来说,策略应该像:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::test"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::test/*"]
}
]
}
Amazons3ReadonlyAccess具有以上所有权限,而您的内联策略没有。