我想给单个用户读取(下载)权限。我对应该使用什么感到困惑:
我应该使用
- S3 界面中的存储桶策略编辑器
- 用户的内联策略并指定读取权限(从 IAM 界面)
- 激活"任何经过身份验证的 AWS 用户"都有权读取(从 s3 界面),然后使用内联权限以获得更精细的粒度?
我使用了内联策略,但它不起作用:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToReadObject",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetObjectTorrent"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::staging/*",
"arn:aws:s3:::prod/*"
]
}
]
}
当我使用 Boto 时:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from boto.s3.connection import S3Connection
from boto.s3.key import Key
import sys, os
AWS_KEY = ''
AWS_SECRET = ''
from boto.s3.connection import S3Connection
conn = S3Connection(AWS_KEY, AWS_SECRET)
bucket = conn.get_bucket('staging')
for key in bucket.list():
print key.name.encode('utf-8')
我收到以下错误:
Traceback (most recent call last):
File "listing_bucket_files.py", line 20, in <module>
bucket = conn.get_bucket('staging')
File "/usr/local/lib/python2.7/dist-packages/boto/s3/connection.py", line 503, in get_bucket
return self.head_bucket(bucket_name, headers=headers)
File "/usr/local/lib/python2.7/dist-packages/boto/s3/connection.py", line 536, in head_bucket
raise err
boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden
您没有分配"s3:ListBucket"权限,该帐户在访问staging prod存储桶时被停止,然后无权访问这些存储桶中的文件/文件夹。
请记住,您必须按如下方式分隔代码,并且不要在存储桶名称后添加/*。
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::staging",
"arn:aws:s3:::prod",
]
},