AWS SDK 应用程序 运行 在什么上下文中用于 ACL?
AWS SDK What context do applications run in for ACL?
我们正在使用 AWS SDK (.net) 并已使用 PutObjectRequest 通过我们的程序成功上传文件。我知道如何在创建文件后设置文件的 ACL 权限,但是当尝试使用 GetObjectRequest 获取文件时,我们的应用程序正在获取 "Access Denied"。我意识到我不知道 运行 应用程序的用户 ID 是什么。如何确保我的应用程序具有读取文件所需的权限,而不使用 "public" 权限? (将文件上的 ACL 设置为 public 适用于应用程序)。
有没有办法让应用程序以特定用户或组的身份检索文件?
任何 AWS API 调用请求,需要一个 访问密钥和秘密密钥 对,可以从以下位置设置:
- 在应用程序中硬编码,
- AWS配置文件(默认在
~/.aws/credentials或C:\Users\*USERNAME*\.aws\credentials),或
- EC2 实例的实例角色。
对于 #1 和 #2,您可以在 https://console.aws.amazon.com/iam/home?region=us-east-1#users 中检查您的 IAM 用户权限。
对于 #3,您可以在 https://console.aws.amazon.com/iam/home?region=us-east-1#roles 中查看您的 IAM 角色。
确保 user/role 有足够的权限读取您的 S3 对象。您可以将此政策附加到 user/role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1455021573875",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::your-bucket-name/*"
}
]
}
调整上述政策。您的应用现在应该具有读取对象访问权限。
顺便说一句,您可以在创建 资源时设置 ACL。您可以在 http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-using-dot-net-sdk.html.
上找到文档
static string bucketName = "*** Provide existing bucket name ***";
static string newBucketName = "*** Provide a name for a new bucket ***";
static string newKeyName = "*** Provide a name for a new key ***";
IAmazonS3 client;
client = new AmazonS3Client(Amazon.RegionEndpoint.USEast1);
// Retrieve ACL from one of the owner's buckets
S3AccessControlList acl = client.GetACL(new GetACLRequest
{
BucketName = bucketName,
}).AccessControlList;
// Describe grant for full control for owner.
S3Grant grant1 = new S3Grant
{
Grantee = new S3Grantee { CanonicalUser = acl.Owner.Id },
Permission = S3Permission.FULL_CONTROL
};
// Describe grant for write permission for the LogDelivery group.
S3Grant grant2 = new S3Grant
{
Grantee = new S3Grantee { URI = "http://acs.amazonaws.com/groups/s3/LogDelivery" },
Permission = S3Permission.WRITE
};
PutBucketRequest request = new PutBucketRequest()
{
BucketName = newBucketName,
BucketRegion = S3Region.US,
Grants = new List<S3Grant> { grant1, grant2 }
};
PutBucketResponse response = client.PutBucket(request);
PutObjectRequest objectRequest = new PutObjectRequest()
{
ContentBody = "Object data for simple put.",
BucketName = newBucketName,
Key = newKeyName,
Grants = new List<S3Grant> { grant1 }
};
PutObjectResponse objectResponse = client.PutObject(objectRequest);
我们正在使用 AWS SDK (.net) 并已使用 PutObjectRequest 通过我们的程序成功上传文件。我知道如何在创建文件后设置文件的 ACL 权限,但是当尝试使用 GetObjectRequest 获取文件时,我们的应用程序正在获取 "Access Denied"。我意识到我不知道 运行 应用程序的用户 ID 是什么。如何确保我的应用程序具有读取文件所需的权限,而不使用 "public" 权限? (将文件上的 ACL 设置为 public 适用于应用程序)。
有没有办法让应用程序以特定用户或组的身份检索文件?
任何 AWS API 调用请求,需要一个 访问密钥和秘密密钥 对,可以从以下位置设置:
- 在应用程序中硬编码,
- AWS配置文件(默认在
~/.aws/credentials或C:\Users\*USERNAME*\.aws\credentials),或 - EC2 实例的实例角色。
对于 #1 和 #2,您可以在 https://console.aws.amazon.com/iam/home?region=us-east-1#users 中检查您的 IAM 用户权限。
对于 #3,您可以在 https://console.aws.amazon.com/iam/home?region=us-east-1#roles 中查看您的 IAM 角色。
确保 user/role 有足够的权限读取您的 S3 对象。您可以将此政策附加到 user/role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1455021573875",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::your-bucket-name/*"
}
]
}
调整上述政策。您的应用现在应该具有读取对象访问权限。
顺便说一句,您可以在创建 资源时设置 ACL。您可以在 http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-using-dot-net-sdk.html.
上找到文档static string bucketName = "*** Provide existing bucket name ***";
static string newBucketName = "*** Provide a name for a new bucket ***";
static string newKeyName = "*** Provide a name for a new key ***";
IAmazonS3 client;
client = new AmazonS3Client(Amazon.RegionEndpoint.USEast1);
// Retrieve ACL from one of the owner's buckets
S3AccessControlList acl = client.GetACL(new GetACLRequest
{
BucketName = bucketName,
}).AccessControlList;
// Describe grant for full control for owner.
S3Grant grant1 = new S3Grant
{
Grantee = new S3Grantee { CanonicalUser = acl.Owner.Id },
Permission = S3Permission.FULL_CONTROL
};
// Describe grant for write permission for the LogDelivery group.
S3Grant grant2 = new S3Grant
{
Grantee = new S3Grantee { URI = "http://acs.amazonaws.com/groups/s3/LogDelivery" },
Permission = S3Permission.WRITE
};
PutBucketRequest request = new PutBucketRequest()
{
BucketName = newBucketName,
BucketRegion = S3Region.US,
Grants = new List<S3Grant> { grant1, grant2 }
};
PutBucketResponse response = client.PutBucket(request);
PutObjectRequest objectRequest = new PutObjectRequest()
{
ContentBody = "Object data for simple put.",
BucketName = newBucketName,
Key = newKeyName,
Grants = new List<S3Grant> { grant1 }
};
PutObjectResponse objectResponse = client.PutObject(objectRequest);