之类的对象级操作所必需的
我试图在单个S3存储桶上提供所有权限,但要给单个文件夹。我正在尝试使用明确否认文件夹名称为北京路径就像Buck123检验/中国/北京/。存储桶名是buck123测试。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1561641021576",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::buck123-test"
},
{
"Sid": "Stmt1561639869054",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::buck123-test/china/Beijing"
}
]
}
我如何达到我的要求,因为上述策略不起作用
您的策略缺少对象中对象的Allow操作。
那呢?(未经测试,让我们报告是否有效(
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1561641021576",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::buck123-test", "arn:aws:s3:::buck123-test/*"]
},
{
"Sid": "Stmt1561639869054",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::buck123-test/china/Beijing/*"
}
]
}
请注意,您需要两个资源。ListBucket和其他存储级级别操作只需要使用存储桶名的资源。/*资源是Put和Get
修订后的答案,您缺少策略文档的一些关键部分,请尝试使用它,但我尚未对此进行测试。
如果要允许用户getObject,putobject等,则可以添加其他操作。
。{
"Id": "Policy1561648158487",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1561648106618",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::buck123-test/china/Beijing/*",
"Principal": "*"
},
{
"Sid": "Stmt1561648156125",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::buck123-test/*",
"Principal": "*"
}
]
}