如何将一个 IAM 用户限制为只有 1 个存储桶?
How do I restrict an IAM user to just 1 bucket?
我有一个存储桶 myapp,我想将新创建的 IAM 用户(没有组策略)限制到该存储桶。
但我不知道该怎么做。
我试过这个:
{
"Statement": [
{
"Effect":"Allow",
"Action": [
"s3:ListBucket"
],
"Resource":"arn:aws:s3:::myapp/*"
}
]
}
然而,当我使用该用户登录 IAM 控制台时,我看到:
我该如何实现?
编辑 1
这是我现在为我的用户使用的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::myapp"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::myapp/*"
]
}
]
}
但是,当我上传图片时,出现此错误:
Excon::Errors::Forbidden at /jobs
Expected(200) <=> Actual(403 Forbidden)
excon.error.response
:body => "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>0FF1D4848595DCFB</RequestId><HostId>+RrQvNFwV2hAcYPK3ZJJYzy5uiA7Aag0oc1Gpp3hENJ9lzJz453j8qJeLbdQ8jN4cc3ViRJ1lEg=</HostId></Error>"
:cookies => [
]
:headers => {
"Connection" => "close"
"Content-Type" => "application/xml"
"Date" => "Sat, 25 Jun 2016 18:54:24 GMT"
"Server" => "AmazonS3"
"x-amz-id-2" => "+R3ViRJ1lEg="
"x-amz-request-id" => "0FF1DCFB"
}
:host => "s3.amazonaws.com"
:local_address => "192.168.1.102"
:local_port => 23456
:path => "/logos/company/logo/48/amped-logo.png"
:port => 443
:reason_phrase => "Forbidden"
:remote_ip => "xx.xx.xxx.xxx"
:status => 403
:status_line => "HTTP/1.1 403 Forbidden\r\n"
这是我的 CORS 规则:
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>http://localhost:3000</AllowedOrigin>
<AllowedMethod>HEAD</AllowedMethod>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>DELETE</AllowedMethod>
<ExposeHeader>ETag</ExposeHeader>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
编辑 2
我终于解决了这个问题,如您所见:AWS S3 403 Forbidden Error on newly created IAM inline policy for a new IAM user
您需要添加 getbucketlocation 和 listAllbuckets 权限以允许用户控制台访问。
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::myapp/*"
}
]
}
我有一个存储桶 myapp,我想将新创建的 IAM 用户(没有组策略)限制到该存储桶。
但我不知道该怎么做。
我试过这个:
{
"Statement": [
{
"Effect":"Allow",
"Action": [
"s3:ListBucket"
],
"Resource":"arn:aws:s3:::myapp/*"
}
]
}
然而,当我使用该用户登录 IAM 控制台时,我看到:
我该如何实现?
编辑 1
这是我现在为我的用户使用的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::myapp"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::myapp/*"
]
}
]
}
但是,当我上传图片时,出现此错误:
Excon::Errors::Forbidden at /jobs
Expected(200) <=> Actual(403 Forbidden)
excon.error.response
:body => "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>0FF1D4848595DCFB</RequestId><HostId>+RrQvNFwV2hAcYPK3ZJJYzy5uiA7Aag0oc1Gpp3hENJ9lzJz453j8qJeLbdQ8jN4cc3ViRJ1lEg=</HostId></Error>"
:cookies => [
]
:headers => {
"Connection" => "close"
"Content-Type" => "application/xml"
"Date" => "Sat, 25 Jun 2016 18:54:24 GMT"
"Server" => "AmazonS3"
"x-amz-id-2" => "+R3ViRJ1lEg="
"x-amz-request-id" => "0FF1DCFB"
}
:host => "s3.amazonaws.com"
:local_address => "192.168.1.102"
:local_port => 23456
:path => "/logos/company/logo/48/amped-logo.png"
:port => 443
:reason_phrase => "Forbidden"
:remote_ip => "xx.xx.xxx.xxx"
:status => 403
:status_line => "HTTP/1.1 403 Forbidden\r\n"
这是我的 CORS 规则:
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>http://localhost:3000</AllowedOrigin>
<AllowedMethod>HEAD</AllowedMethod>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>DELETE</AllowedMethod>
<ExposeHeader>ETag</ExposeHeader>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
编辑 2
我终于解决了这个问题,如您所见:AWS S3 403 Forbidden Error on newly created IAM inline policy for a new IAM user
您需要添加 getbucketlocation 和 listAllbuckets 权限以允许用户控制台访问。
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::myapp/*"
}
]
}