我需要拥有一些生成的S3存储桶,并具有所有可使用的权限 - 读写是强制性的。
我已经尝试使用此代码来实现它:
var createBucketParams = {Bucket: bucketName, ACL: 'public-read-write', GrantFullControl:'FULL_CONTROL'};
S3.createBucket(createBucketParams, function(err, data) {
if (err) {
console.log("Error while calling createBucket() - Error: " + err);
} else {
console.log("Successfully Bucket created.");
}
});
我的问题是,权限无法正常运行,我在尝试getObject()时都会被访问吗?
有什么想法?编辑:这是我当前的所有最新更改的代码:
before(() => {
console.log("Mocking AWS.DynamoDB.DocumentClient API");
AWSMock.mock('DynamoDB.DocumentClient', 'put', function(params, callback) {
callback(null, "Mock: successfully put object in DynamoDB");
});
console.log("Mocking AWS.S3 API");
AWSMock.mock('S3', 'createBucket', function (params, callback){
callback(null, "successfully bucket created in S3");
});
AWSMock.mock('S3', 'putObject', function (params, callback){
callback(null, "successfully put item in S3");
});
AWSMock.mock('S3', 'getObject', function (params, callback){
callback(null, "successfully get item in S3");
});
AWSMock.mock('S3', 'putBucketPolicy', function (params, callback){
callback(null, "successfully putBucketPolicy in S3");
});
});
it('Writing a file to S3 with user metadata - when data is valid JSON and updating the DB is Succeed',
function(done) {
var bucketName = 'my.unique.bucket.name';
var fileName = 'fileName.csv';
var s3Policy = {
"Version":"2012-10-17",
"Id":"http referer policy example",
"Statement":[
{
"Sid":"Allow get requests originating from www.example.com and example.com.",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:GetObject,s3:PutObject"],
"Resource": "arn:aws:s3:::" + bucketName + "/*",
"Condition": {
"IpAddress": {"aws:SourceIp": "127.0.0.1"},
"NotIpAddress": {"aws:SourceIp": "127.0.0.1"}
}
}
]
};
var S3 = new AWS.S3();
var createBucketParams = {Bucket: bucketName, ACL: "FULL_CONTROL", Region: "us-west-2"};
S3.createBucket(createBucketParams, function(err, data) {
if (err) {
console.log("Error while calling createBucket() - Error: " + err);
} else {
console.log("Successfully Bucket created.");
}
});
var putBucketPolicyParams = {
Bucket: bucketName,
Policy: JSON.stringify(s3Policy)
};
S3.putBucketPolicy(putBucketPolicyParams, function(err, data) {
if (err) console.log(err, err.stack);
else console.log(data);
});
var putObjectParams = {Bucket: bucketName,
Key: fileName,
Body: 'Hello!',
Metadata: {startDate: "2016-12-12T12:34:56.000Z", endDate:"2016-12-31T12:34:56.000Z",
userName:"someUser",
originalFileName:"fileName.csv"}};
S3.putObject(putObjectParams, function(err, data) {
if (err) {
console.log(err, err.stack)
} else {
console.log("Successfully put a file to bucket");
}
});
LambdaTester(myHandler)
.event(JSON.parse(JSON.stringify(require('./testcases/single_record_with_user_metadata.json'))))
.expectSucceed(function(result) {
expect(result.valid).to.be.true;
})
.verify(done);
});
和JS文件中的用法:
S3.getObject(s3FileParams, function(err, data) {
if (err) {
var message = "Error while trying to get file object " + fullFileName + " from bucket " + bucketName + ". Make sure they exist and your bucket is in the same region as this function. Error: " + err;
console.error(message);
// console.log(err, err.stack);
console.log(JSON.stringify(err, null, 2));
} else {
userMetaDataJson = JSON.parse(JSON.stringify(data.Metadata));
}
resolve();
})
S3提供两种类型的策略:
- 基于资源的
- 基于用户的
您(正确)尝试应用基于资源的策略。对于基于资源的策略,您还有两个选择:
- 访问控制列表(ACL)
- 存储策略
您正在尝试应用ACL,在这种情况下,您应该阅读文档中的" ACL权限和访问策略权限"部分的"映射"。具体来说,当您将读取ACL授予存储桶时,您允许以下内容:
- S3:ListBucket
- S3:ListBucketversions
- s3:listbucketmultipartuploads
特别注意您是不是允许S3:getObject。为此,将对象放入存储桶中时,您将在每个对象上提供读取的ACL。
好吧,所有这些ACL的东西,您可能应该使用存储措施策略而不是ACL。水桶策略补充,在许多情况下,取代了基于ACL的访问政策。这是向所有用户授予S3:GetObject权限的示例策略。您还必须添加putobject,以允许它们上传(以及根据列表,删除等必要的操作)。您可以使用putbucketpolicy设置存储策略。