小贝子编程

为什么我在s3上的访问被拒绝(使用Node.js的aws-sdk)



我正试图从s3存储桶中读取一个现有的文件,但我一直收到"访问被拒绝"的消息,没有任何解释或指示

'use strict'
var AWS = require('aws-sdk')
const options = {
  apiVersion: '2006-03-01',
  params: {
    Bucket: process.env['IMAGINATOR_BUCKET']
  },
  accessKeyId: process.env['IMAGINATOR_AWS_ACCESS_KEY_ID'],
  secretAccessKey: process.env['IMAGINATOR_AWS_SECRET_ACCESS_KEY'],
  signatureVersion: 'v4'
}
console.log('options', options)
var s3 = new AWS.S3(options)
module.exports = exports = {
  get (name, cb) {
    const params = {
      Key: name + '.json'
    }
    console.log('get params', params)
    return s3.getObject(params, cb)
  },
  set (name, body, cb) {
    const params = {
      Key: name + '.json',
      Body: body
    }
    console.log('set params', params)
    return s3.putObject(params, cb)
  }
}

这就是我在使用get方法并记录回调中提供的错误(敏感信息被删除(时得到的输出:

options { apiVersion: '2006-03-01',
  params: { Bucket: CENSORED_BUT_CORRECT },
  accessKeyId: CENSORED_BUT_CORRECT,
  secretAccessKey: CENSORED_BUT_CORRECT,
  signatureVersion: 'v4' }
get params { Key: 'whitelist.json' }
err { [AccessDenied: Access Denied]
  message: 'Access Denied',
  code: 'AccessDenied',
  region: null,
  time: Wed Sep 21 2016 11:17:50 GMT-0400 (EDT),
  requestId: CENSORED,
  extendedRequestId: CENSORED,
  cfId: undefined,
  statusCode: 403,
  retryable: false,
  retryDelay: 20.084538962692022 }
/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/request.js:31
            throw err;
            ^
AccessDenied: Access Denied
    at Request.extractError (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/services/s3.js:538:35)
    at Request.callListeners (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
    at Request.emit (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
    at Request.emit (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/request.js:668:14)
    at Request.transition (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/request.js:670:12)
    at Request.callListeners (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/sequential_executor.js:115:18)

现在我不知道该怎么办,因为我认为我根据文档做的事情是正确的,但它不起作用,错误消息也没有说明为什么我的访问被拒绝。。。你知道下一步该怎么做吗?

问题是我的新IAM用户没有附加策略。我为它分配了AmazonS3FullAccess策略,现在它可以工作了。

正如评论中所指出的,限制性更强的政策会更安全

如果您试图将ACL设置为";公共阅读";但是bucket正在阻止公共访问。例如,如果您打算将静态资产上传到配置错误的S3存储桶。您可以在bucket设置中更改它。

策略中的

FullAccess不是必需的。你可以试试这样的东西:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:Put*",
                "s3:Get*",
                "s3:List*",
                "s3:Delete*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket/*",
                "arn:aws:s3:::bucket"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        }
    ]
}

当您试图读取的对象不存在时,可能会发生这些错误。据我所知,在这些情况下,AWS的错误并不那么明显。

验证您的密钥/存储桶是否正确,以及您是否在API方法上发送了正确的参数。

我已经两次遇到这个问题:

  • 当我用bucket param替换key param,反之亦然,并且我试图使用getObject()方法读取s3对象时
  • 当我试图使用copyObject()方法将文件复制到不存在的位置时
Steps
1: click on Users in IAM (in AWS)
2: click on permission tab
3: click on add permission then click on add group
4: search s3fullaccess in searchbar
5: select AmazonS3FullAccess and type any group name then click on create
6: perform action through your API again
7: done

"code":"AccessDenied","region":null,"time":"2020-05-24T05:20:56.219Z","requestId": ...

在"权限"选项卡的s3 aws控制台>Bucket策略编辑器中应用以下策略以消除上述错误,

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<IAM-user-ID>:user/testuser"
            },
            "Action": [
                "s3:ListBucket",
                "s3:ListBucketVersions",
                "s3:GetBucketLocation",
                "s3:Get*",
                "s3:Put*"
            ],
            "Resource": "arn:aws:s3:::srcbucket"
        }
    ]
}

在我的情况下,我更新了.env文件中包含s3 bucket名称的变量,但没有更新程序中的变量,因此程序收到了bucket名称变量的undefined值,这导致了我的程序抛出access denied错误。

因此,如果您将存储桶名称存储在变量中,请确保使用正确的存储桶名称或正确的变量名称

我遇到了同样的错误,这是因为我试图访问的文件不在bucket中。因此,请确保您使用了正确的bucket名称,并且您要查找的文件的名称与该bucket中存在的名称完全相同。https://www.diffchecker.com/diff是一个很好的工具,可以查找字符串

中的差异

在IAM用户设置中,如果您已启用AmazonS3FullAccess,并确保不应启用任何其他S3策略。它会覆盖您的AmazonS3FullAccess。并检查您是否收到了来自亚马逊的任何电子邮件。

我也遇到了同样的问题,原来是ACL权限问题。它解决了!

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium