我需要创建一个 S3 存储桶来托管我的用户上传的资产。
我尝试创建一个专用于 S3 的 IAM 用户,这基本上意味着: - 仅访问 S3,不访问其他任何内容 - 以编程方式 - 仅访问必须访问的存储桶 - 无需存储桶管理
以下是附加到该用户的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersion",
"s3:GetObjectVersionTagging",
"s3:PutObjectVersionTagging",
"s3:DeleteObjectVersionTagging",
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:PutObjectTagging",
"s3:GetObjectVersionForReplication",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::my-bucket/"
}
]
}
此策略称为 AssetManager,如果我列出用户
ngw@bluemonday ~ aws iam list-users --profile utelier-admin
{
"Users": [
{
"Path": "/",
"UserName": "AssetManager",
"UserId": "USERID",
"Arn": "arn:aws:iam::1234567890:user/AssetManager",
"CreateDate": "2018-09-16T13:05:32Z"
}
]
}
然后我尝试创建存储桶my-bucket,但我很迷茫,不知道何时何地添加我的新用户。我看到我可以添加我的“帐户”甚至访问“其他 AWS 帐户”,但没有提到我的 IAM 用户,这非常令人困惑。
结果:我当前的设置不起作用:
2.5.1 :005 > require 'aws-sdk-s3'
=> false
2.5.1 :006 > s3 = Aws::S3::Resource.new(region:'eu-west-1', access_key_id: 'ACCESSKEY', secret_access_key: 'SECRET')
=> #<Aws::S3::Resource:0x00007fc88d384b88 @client=#<Aws::S3::Client>>
2.5.1 :007 > obj = s3.bucket('my-bucket').object('test.jpg')
=> #<Aws::S3::Object:0x00007fc88d6cb4b8 @bucket_name="my-bucket", @key="test.jpg", @data=nil, @client=#<Aws::S3::Client>>
2.5.1 :008 > obj.upload_file('/Users/ngw/something.jpg')
Traceback (most recent call last):
...
1: from /Users/ngw/.rvm/gems/ruby-2.5.1/gems/aws-sdk-core-3.27.0/lib/seahorse/client/plugins/raise_response_errors.rb:15:in `call'
Aws::S3::Errors::AccessDenied (Access Denied)
有人能解释一下吗?提前谢谢了。
答案1
问题是我必须更加明确地说明:
"Resource": "arn:aws:s3:::my-bucket/*"
失踪"/*"了。