我正试图使用KMS密钥别名从S3获取对象,当放置对象以相同的策略工作时,S3不工作。我的策略如下
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::primary-db-backups-XXXXX"
},
{
"Sid": "AllowGetPutPostgresBackups",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::primary-db-backups-XXXXX/*"
]
},
{
"Sid": "AllowS3KMS",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey*",
"kms:Decrypt"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:RequestAlias": "alias/infra_s3_key"
}
}
}
]
}
download failed: s3://primary-db-backups-XXXXX/ip15000_2021-10-19T02-37-52.sql to - An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
如果我把KMS密钥ARN在资源,然后它的工作。我不知道为什么GetObject不工作,而PutObjects工作。
这可能是因为S3通过其ARN调用KMS密钥,而不是alias。只有当S3对KMS的API调用本身使用alias/infra_s3_key时,才可以使用alias/infra_s3_key。但它可能使用了密钥ARN,因此只有KMS密钥ARN的条件才有效。