我的 S3 限制了提供私有内容的策略。只有云前端源访问身份可以访问。但是,应允许其他帐户上传新对象,以便客户端可以获得新资产。应该为这种情况设置什么样的政策?
目前我的政策是这样的
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity SomeID12334"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
您可以在存储桶策略中添加多个语句来处理权限。 提供来自另一个账户的角色 ARN,以提供对存储桶执行特定操作的访问权限。
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity SomeID12334"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Sid": "Stmt1570159952662",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<accountno>:role/rolename"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket"
}