一个组需要什么权限才能通过 travisci 发布到 s3
What permissions does a group need in order to publish to s3 via travisci
我正在将我所有的网站从我的服务器上移到 s3 上。我已经将它们从动态站点移动到静态站点,因此 运行 操作不再需要服务器。
最后一个站点是我的博客,它运行 jekyll,我宁愿不必在本地构建来发布新内容。我不想把它留到 github 页,因为我不想被困在 jekyll 中。
所有这一切都表明我正在尝试将构建过程从我的 jenkins 服务器转移到 travis ci。从文档中我认为我已经为该组提供了正确的权限,但是如果不向 group/user.
授予 "s3:*",我就无法正常工作
这是我当前的 iam 组权限策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectVersion",
"s3:GetObjectVersion",
"s3:DeleteObjectVersion",
"s3:ListMultipartUploadParts",
"s3:ListMultipartUpload",
"s3:RestoreObject",
"s3:GetObjectVersionTorrent",
"s3:GetObjectTorrent",
"s3:PutObjectVersionTagging",
"s3:PutObjectTagging",
"s3:GetObjectVersionTagging",
"s3:GetObjectTagging",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersionTagging"
],
"Resource": [
"arn:aws:s3:::travis-s3-pub-test/*"
]
}
]
}
根据 aws 文档,唯一需要的权限是:
```
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
```
但这不起作用。
在我工作的 sys-admin jfronza 的帮助下,我找到了答案。
我遗漏了政策的 acl 部分。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTorrent",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl",
"s3:RestoreObject"
],
"Resource": [
"arn:aws:s3:::travis-s3-pub-test/",
"arn:aws:s3:::travis-s3-pub-test/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
acl 部分是文件权限发生的地方,因为上传的文件需要 public 他们需要此权限。
虽然 Amazon docs on s3 policies on this are quite bad, the travisCI docs on working with s3 很好,如果我在发布之前看到它们,请准确告诉我。
我正在将我所有的网站从我的服务器上移到 s3 上。我已经将它们从动态站点移动到静态站点,因此 运行 操作不再需要服务器。
最后一个站点是我的博客,它运行 jekyll,我宁愿不必在本地构建来发布新内容。我不想把它留到 github 页,因为我不想被困在 jekyll 中。
所有这一切都表明我正在尝试将构建过程从我的 jenkins 服务器转移到 travis ci。从文档中我认为我已经为该组提供了正确的权限,但是如果不向 group/user.
授予"s3:*",我就无法正常工作
这是我当前的 iam 组权限策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectVersion",
"s3:GetObjectVersion",
"s3:DeleteObjectVersion",
"s3:ListMultipartUploadParts",
"s3:ListMultipartUpload",
"s3:RestoreObject",
"s3:GetObjectVersionTorrent",
"s3:GetObjectTorrent",
"s3:PutObjectVersionTagging",
"s3:PutObjectTagging",
"s3:GetObjectVersionTagging",
"s3:GetObjectTagging",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersionTagging"
],
"Resource": [
"arn:aws:s3:::travis-s3-pub-test/*"
]
}
]
}
根据 aws 文档,唯一需要的权限是:
```
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
```
但这不起作用。
在我工作的 sys-admin jfronza 的帮助下,我找到了答案。
我遗漏了政策的 acl 部分。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTorrent",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl",
"s3:RestoreObject"
],
"Resource": [
"arn:aws:s3:::travis-s3-pub-test/",
"arn:aws:s3:::travis-s3-pub-test/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
acl 部分是文件权限发生的地方,因为上传的文件需要 public 他们需要此权限。
虽然 Amazon docs on s3 policies on this are quite bad, the travisCI docs on working with s3 很好,如果我在发布之前看到它们,请准确告诉我。