我在bucket上设置了权限,允许"Authenticated Users"从我创建的bucket中列出、上传和删除。这似乎允许我将文件上传到bucket,但从bucket下载文件似乎不在该权限范围内,因此我需要为bucket定义策略。我不清楚如何制定这样的政策。我尝试了策略生成器,并对应该填写的内容进行了最佳猜测,但当我将其粘贴为bucket的新策略时,结果不是有效的策略(它失败了,并显示消息Action does not apply to any resource(s) in statement - Action "s3:ListBucket" in Statement "Stmt-some-number"
)。有人能解释一下下面的策略有什么问题,以及如何正确设置它以允许经过身份验证的用户从bucket中检索文件吗?
{
"Id": "Policy-some-number",
"Statement": [
{
"Sid": "Stmt-some-number",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
s3:GetObject
应用于bucket中的对象,因此Resource是正确的:"Resource": "arn:aws:s3:::my-bucket/*"
。
s3:ListBucket
应用于Bucket本身,因此Resource应该是"Resource": "arn:aws:s3:::my-bucket"
您得到的策略应该类似于:
{
"Id": "Policy-some-number",
"Statement": [
{
"Sid": "Stmt-some-number",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "Stmt-some-other-number",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
只是为了赞美@c4urself的回答。答案也有助于解决我的问题,但AWS文档中有一些指示,您可以添加多个资源,只需使用[]将它们列为列表即可。http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html#vpc-端点s3-分组策略
{
"Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"]
}
]
}
更新Bucket策略如下
{
"Version": "2012-10-17",
"Id": "Policy1546023103427",
"Statement": [
{
"Sid": "Stmt1546023101836",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::usagereports-atul",
"arn:aws:s3:::usagereports-atul/*"
]
}
]
}
只需制作资源和数组/资源列表,并使用/*向列表中添加一个项目,因为s3:GetObject应用于arn:aws:s3::my_secure_bucket/*。见下文
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"