我正在尝试配置 S3 存储桶,以便只有特定用户才能访问它,而不是公众。
我创建了一个名为 s3-injury-log 的用户和以下存储桶策略
{
"Id": "Policy1542998309644",
"Version": "2012-10-17",
"Statement": [{
"Sid": "Stmt1542998308012",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::injury-log",
"Principal": {
"AWS": ["arn:aws:iam::058842494618:user/s3-injury-log"]
}
}]
}
我的"阻止所有公共访问"选项卡如下所示
Block all public access - Off
Block public access to buckets and objects granted through new access control lists (ACLs) - On
Block public access to buckets and objects granted through any access control lists (ACLs) - On
Block public access to buckets and objects granted through new public bucket policies - Off
Block public and cross-account access to buckets and objects through any public bucket policies - Off
但是当尝试将对象放入存储桶(使用 aws java 库(时,我收到以下错误消息
Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: CC71A7EFAFC9BBDB; S3 Extended Request ID: klrwopIIJK3PsJzEw
知道我做错了什么吗?
您的策略似乎不正确,仅允许存储桶级别的操作。因此,PutObject 操作被拒绝,这是对象级别的。
只需更新策略以允许对象级操作:
{
"Id": "Policy1542998309644",
"Version": "2012-10-17",
"Statement": [{
"Sid": "Stmt1542998308012",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::injury-log",
"arn:aws:s3:::injury-log/*"
]
"Principal": {
"AWS": ["arn:aws:iam::058842494618:user/s3-injury-log"]
}
}]
}