我创建了一个名为sally的IAM用户,并且在创建时没有附加任何托管策略。然后附上以下IAM政策。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "S3:*",
"Resource": [
"arn:aws:s3:::cat-pics",
"arn:aws:s3:::cat-pics/*"
],
"Effect": "Allow"
}
]
}
但是,当我以sally用户身份登录控制台时,我不断收到以下错误:错误访问被拒绝基本上,用户看不到猫图片桶或上传到它的任何对象。我在这里缺少什么?我需要向用户添加任何托管策略吗?请告诉我。
感谢
对于试图通过控制台访问bucket的用户来说,这是正确的策略文档。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsSupportBucketResourceType",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::cat-pics"
]
},
{
"Sid": "TheseActionsRequireAllResources",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListMultipartUploadParts"
],
"Resource": [
"*"
]
},
{
"Sid": "TheseActionsRequireSupportsObjectResourceType",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::cat-pics/*"
]
}
]
}
此处提供了对该问题的详细解释:https://aws.amazon.com/blogs/security/iam-policy-summaries-now-help-you-identify-errors-and-correct-permissions-in-your-iam-policies/感谢
问题是,此策略只允许完全访问这个bucket,但如果您使用Console,则需要其他权限才能访问。AWS文档指出,您需要位于bucket之外的GetBucketLocation和ListAllMyBuckets权限才能使用控制台。
将此添加到策略中,它应该会起作用:
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},