我正在尝试将多个主机的备份设置到一个存储桶。每个主机都有自己的 AWS 登录名和凭据。最顶层的文件夹(前缀)映射到 AWS 用户 ID,我正尝试仅限制对该文件夹的访问。
在备份过程中,我收到“S3ResponseError:403 Forbidden”。我使用以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGroupToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucketexample"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
""
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucketexample"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"${aws:username}/*"
]
}
}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucketexample/${aws:username}/*"
]
}
]
}
当我附加允许所有访问 s3 的策略时,duplicity 备份工作正常。因此,上述策略缺少某些内容或存在错误。
一个有趣的观察:S3 中最终会出现重复文件,所以我想知道是否允许放置但不允许列出。
有任何想法吗?
答案1
我也遇到了这个问题,关于这个问题的详细讨论AWS 论坛。
主要问题是,一些 S3 客户端根本没有在“ListBucket”请求中添加“前缀”。因此,“AllowRootAndHomeListingOfCompanyBucket”不匹配,因此访问被拒绝。这应该是 duplicity 的情况。
另一个解决方法是使用拒绝规则,这是由丹尼尔在该主题中。该政策应具有与您提到的政策相同的效果。
下面是修改并添加的用户变量,它应该适用于 duplicity:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucketexample"
]
},
{
"Sid": "DenyAllListingExceptRootAndUserFolders",
"Effect": "Deny",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mybucketexample"
],
"Condition": {
"Null": {
"s3:prefix": "false"
},
"StringNotLike": {
"s3:prefix": [
"",
"${aws:username}/*"
]
}
}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::mybucketexample/${aws:username}/*"
]
}
]
}