AWS。如何为文件夹而不是整个容器设置权限 PutObject？

Question

关于 AWS-MediaStore 服务。

尝试在用户端添加策略：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSElementalMediaStoreGetAccess",
            "Effect": "Allow",
            "Action": "mediastore:GetObject",
            "Resource": "*"
        }
    ]
}

容器端：

{
  "Version" : "2012-10-17",
  "Statement" : [ {
    "Sid" : "MediaStorePostToSpecificPath",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "arn:aws:iam::CENSORED:root"
    },
    "Action" : "mediastore:PutObject",
    "Resource" : "arn:aws:mediastore:eu-central-1:CENSORED:container/test/path1/*",
    "Condition" : {
      "Bool" : {
        "aws:SecureTransport" : "true"
      }
    }
  } ]
}

但是 Post 到 Path1 告诉我访问被拒绝。是否可以设置可以为用户提供 PutObject 到定义文件夹中的策略？

Answer 1

不知道为什么，但经过几次尝试后，此配置开始正常工作：用户：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSElementalMediaStore",
            "Effect": "Allow",
            "Action": [
                "mediastore:GetObject"
            ],
            "Resource": "*"
        }
    ]
}

容器：

{
  "Version" : "2012-10-17",
  "Statement" : [ {
    "Sid" : "MediaStoreAccess",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "arn:aws:iam::CENSORED:user/bot"
    },
    "Action" : "mediastore:PutObject",
    "Resource" : "arn:aws:mediastore:eu-central-1:CENSORED:container/test/path1/*",
    "Condition" : {
      "Bool" : {
        "aws:SecureTransport" : "true"
      }
    }
  } ]
}

现在用户 bot 只能将文件放在 path1 文件夹中。可能是我遇到了这个问题，因为政策适用的不是那么快...

AWS。如何为文件夹而不是整个容器设置权限 PutObject？

AWS. How to set permisson PutObject for folder, but not on whole container?

amazon-web-services

aws-iam