正如问题所问的那样,锁定的S3 IAM用户成功使用Django-storages的最低权限是什么?目前,我使用了
之类的东西{
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListAllMyBuckets"],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"],
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Effect": "Allow",
"Action": ["s3:*Object*",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"],
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
实际上可能是过分的。还有其他想法吗?
fiver的答案不足以在django-storages中运行collectstatic。除了s3:ListAllMyBuckets,我使用了 @jvc26所做的所有内容。我认为也不需要s3:ListBucketVersions。
{
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"],
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Effect": "Allow",
"Action": ["s3:*Object*",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"],
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
我对django-storage不确定,因为我使用的是基于django-storage的S3部分的cuddly-buddly。我刚刚发现Cuddlybuddly更易于使用和更好地工作,而且名称很棒!
无论如何,我有一个使用Django S3的项目,并发现以下AWS策略是我项目所需的最低限度:
{
"Version": "2008-10-17",
"Id": "Policy123",
"Statement": [
{
"Sid": "Stmt123",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::some-aws-user"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Sid": "Stmt234",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::some-aws-user"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
我有需要上传,检索和删除的Django视图,因此可以根据您的需求使用/省略这些相应的操作。显然,任何人都需要更改用户和存储桶名。
另外,仅出于完整性而对我来说并不明显,请注意以下有关AWS政策的限制:
策略的最大大小为20 kb
资源的值必须带有存储桶名或 水桶名和下面的路径(bucket/)。如果只有存储桶名是 指定的是,没有落后/,该策略适用于存储桶。
每个策略必须具有唯一的策略ID(ID)
策略中的每个语句都必须具有唯一的语句ID(SID)
每个策略必须仅覆盖其中的一个存储桶和资源 存储桶(编写策略时,请勿包括指的语句 其他存储桶中的其他存储桶或资源)
最后,对于那些想这样做的任何人,不要更改Version密钥中的日期值,亚马逊使用此值来解析策略格式。
希望这会有所帮助!
请参阅此处的官方django storage官方文档:https://django-storages.readthedocs.io/en/latest/backends/amazon-s3.html#iam-policy/policy/>
您可以简单地复制并将这些权限粘贴到您的IAM策略中。
对我有用:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Resource": "arn:aws:s3:::bucket_name_here"
},
{
"Effect": "Allow",
"Action": [
"s3:*Object*",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
],
"Resource": "arn:aws:s3:::bucket_name_here/*"
}
]
}
我认为,无论您使用IAM或其他类型的权限,都应提供全球读取访问权限。所以我通过这种配置成功了:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::buuuuu",
"arn:aws:s3:::buuuuu/*"
]
}
]
}