将 Duplicity 与 AWS S3 和 IAM 文件夹策略结合使用

将 Duplicity 与 AWS S3 和 IAM 文件夹策略结合使用

我正在尝试将多个主机的备份设置到一个存储桶。每个主机都有自己的 AWS 登录名和凭据。最顶层的文件夹(前缀)映射到 AWS 用户 ID,我正尝试仅限制对该文件夹的访问。

在备份过程中,我收到“S3ResponseError:403 Forbidden”。我使用以下策略:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowGroupToSeeBucketListInTheConsole",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "AllowRootAndHomeListingOfCompanyBucket",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::mybucketexample"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:prefix": [
                        ""
                    ],
                    "s3:delimiter": [
                        "/"
                    ]
                }
            }
        },
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::mybucketexample"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "${aws:username}/*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowAllS3ActionsInUserFolder",
            "Action": [
                "s3:*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::mybucketexample/${aws:username}/*"
            ]
        }
    ]
}

当我附加允许所有访问 s3 的策略时,duplicity 备份工作正常。因此,上述策略缺少某些内容或存在错误。

一个有趣的观察:S3 中最终会出现重复文件,所以我想知道是否允许放置但不允许列出。

有任何想法吗?

答案1

我也遇到了这个问题,关于这个问题的详细讨论AWS 论坛

主要问题是,一些 S3 客户端根本没有在“ListBucket”请求中添加“前缀”。因此,“AllowRootAndHomeListingOfCompanyBucket”不匹配,因此访问被拒绝。这应该是 duplicity 的情况。

另一个解决方法是使用拒绝规则,这是由丹尼尔在该主题中。该政策应具有与您提到的政策相同的效果。

下面是修改并添加的用户变量,它应该适用于 duplicity:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUserToSeeBucketListInTheConsole",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "AllowRootAndHomeListingOfCompanyBucket",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::mybucketexample"
            ]
        },
        {
            "Sid": "DenyAllListingExceptRootAndUserFolders",
            "Effect": "Deny",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::mybucketexample"
            ],
            "Condition": {
                "Null": {
                    "s3:prefix": "false"
                },
                "StringNotLike": {
                    "s3:prefix": [
                        "",
                        "${aws:username}/*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowAllS3ActionsInUserFolder",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::mybucketexample/${aws:username}/*"
            ]
        }
    ]
}

相关内容