我有一个云形成模板,我正在尝试在其中创建一个托管策略,我可以在其中控制对文件夹中对象的访问。我曾经有过这个工作,但我更改了模板中的某些内容,需要第二双眼睛来希望指出拼写错误或我的权限集错误的地方。
CF (yaml( 定义如下所示:
- Sid: ExternalLISTReturns
Effect: Allow
Action:
- s3:ListBucket
Condition:
ForAnyValue:StringEquals:
s3:prefix: "folder1/returns/*"
Resource: !Join
- 's3:prefix'
- - !Ref S3ContainerName
- Sid: ExternalLISTUploads
Effect: Allow
Action:
- s3:ListBucket
Condition:
ForAnyValue:StringEquals:
s3:prefix: "folder1/uploads/*"
Resource: !Join
- 's3:prefix'
- - !Ref S3ContainerName
打包并部署后,JSON 定义在策略管理器中如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"ForAnyValue:StringEquals": {
"s3:prefix": "folder1/returns/*"
}
},
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::mydeployedbucket",
"Effect": "Allow",
"Sid": "ExternalLISTReturns"
},
{
"Condition": {
"ForAnyValue:StringEquals": {
"s3:prefix": "folder1/uploads/*"
}
},
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::mydeployedbucket",
"Effect": "Allow",
"Sid": "ExternalLISTUploads"
}
]
}
该策略看起来有效,但是当我尝试使用 cli 列出项目时
aws s3 ls s3://mydeployedbucket/folder1/uploads --profile testaccount
我收到错误
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
是否有任何缺失或需要的东西跳出来?目的是仅允许列出与此策略关联的用户的前缀为 folder1/uploads
或 folder1/returns
在挖掘更多内容后,我发现问题在于我如何为 LIST 存储桶声明我的资源。我最初将资源定义为对象而不是存储桶。我还发现我可以在条件定义中使用StringLike
。 StringEquals
也有效,但我不必明确声明ForAnyValue:
我更新了 CF 模板,因此列表权限如下所示:
- Sid: ExternalLISTUploads
Effect: Allow
Action:
- s3:ListBucket
Condition:
StringLike:
s3:prefix: "folder1/uploads/*"
Resource: !Join
- ''
- - !Ref S3ContainerName