我目前有一个用户策略,允许用户访问他们分配到的特定 S3 存储桶。此功能非常完美。但是,现在我需要将说明附加到此策略,以授予用户对已为其创建的弹性转码器管道的访问权限。我尝试按照此处的说明进行操作,但策略一直失败。我是 IAM 策略语法的新手,可以使用一只手。请参阅以下示例:
目前实施的功能政策:
{
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"s3:CreateBucket",
"s3:DeleteBucket"
],
"Resource": "arn:aws:s3:::org-b-bucket",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::org-b-bucket/*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*",
"Condition": {}
}
]
}
已编辑策略尝试添加权限(插入虚拟帐户信息):
{
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"s3:CreateBucket",
"s3:DeleteBucket"
],
"Resource": "arn:aws:s3:::org-b-bucket",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::org-b-bucket/*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*",
"Condition": {}
},
{
"Effect":"Allow",
"Action":[
"elastictranscoder:List*",
"elastictranscoder:Read*",
"elastictranscoder:CreateJob"
],
"Resource":[
"arn:aws:elastictranscoder:us-east-1:123456789123:pipeline/1234567891234-qwerty",
"arn:aws:elastictranscoder:us-east-1:123456789123:job/*"
]
}
]
}
您应该检查区域,为创建管道时设置的客户端选择相同的区域。查看此处了解详细的下水道