从浏览器访问 S3 存储桶中项目的基本思路
Basic idea to access items in S3 bucket from Browser
我使用 [django-s3direct][1] 将文件上传到 S3 存储桶。
文件上传后 url 出现在这里。
https://s3.ap-northeast-1.amazonaws.com/cdk-sample-bk/line-assets/images/e236fc508939466a96df6b6066f418ec/1040
但是从浏览器访问时,出现错误。
<Error>
<script/>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>025WQBJQ5K2W5Z5W</RequestId>
<HostId>FF3VeIft8zSQ7mRK1a5e4l8jolxHBB40TEh6cPhW0qQtDqT7k3ptgCQt3/nusiehDIXkgvxXkcc=</HostId>
</Error>
现在可以使用s3.ap-northeast-1.amazonaws.com url了吗?还是我需要创建接入点?
访问权限为 public 并且 bloc public 访问已关闭
桶策略是这样的
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::678100228133:role/st-dev-base-stack-CustomS3AutoDeleteObjectsCustomR-MLBJDQF3OWFJ"
},
"Action": [
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*"
],
"Resource": [
"arn:aws:s3:::cdk-st-dev-sample-bk",
"arn:aws:s3:::cdk-st-dev-sample-bk/*"
]
}
]
}
我还需要检查什么吗?
正如@marcin 所说,您的存储桶策略仅允许 IAM 角色 arn:aws:iam::678100228133:role/st-dev-base-stack-CustomS3AutoDeleteObjectsCustomR-MLBJDQF3OWFJ 的操作。如果您想让 public 访问所有对象(不建议写入),您需要按以下方式更改存储桶策略 -
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetBucket*",
"s3:GetObject",
"s3:List*",
"s3:DeleteObject*"
],
"Resource": [
"arn:aws:s3:::cdk-st-dev-sample-bk",
"arn:aws:s3:::cdk-st-dev-sample-bk/*"
]
}
]
}
上述策略使 public 可以访问您的所有存储桶对象(还允许 public 删除它们!!)。我的建议是使用 django-storages and presigned urls 允许您的用户访问您的存储桶对象。
我使用 [django-s3direct][1] 将文件上传到 S3 存储桶。
文件上传后 url 出现在这里。
https://s3.ap-northeast-1.amazonaws.com/cdk-sample-bk/line-assets/images/e236fc508939466a96df6b6066f418ec/1040
但是从浏览器访问时,出现错误。
<Error>
<script/>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>025WQBJQ5K2W5Z5W</RequestId>
<HostId>FF3VeIft8zSQ7mRK1a5e4l8jolxHBB40TEh6cPhW0qQtDqT7k3ptgCQt3/nusiehDIXkgvxXkcc=</HostId>
</Error>
现在可以使用s3.ap-northeast-1.amazonaws.com url了吗?还是我需要创建接入点?
访问权限为 public 并且 bloc public 访问已关闭
桶策略是这样的
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::678100228133:role/st-dev-base-stack-CustomS3AutoDeleteObjectsCustomR-MLBJDQF3OWFJ"
},
"Action": [
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*"
],
"Resource": [
"arn:aws:s3:::cdk-st-dev-sample-bk",
"arn:aws:s3:::cdk-st-dev-sample-bk/*"
]
}
]
}
我还需要检查什么吗?
正如@marcin 所说,您的存储桶策略仅允许 IAM 角色 arn:aws:iam::678100228133:role/st-dev-base-stack-CustomS3AutoDeleteObjectsCustomR-MLBJDQF3OWFJ 的操作。如果您想让 public 访问所有对象(不建议写入),您需要按以下方式更改存储桶策略 -
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetBucket*",
"s3:GetObject",
"s3:List*",
"s3:DeleteObject*"
],
"Resource": [
"arn:aws:s3:::cdk-st-dev-sample-bk",
"arn:aws:s3:::cdk-st-dev-sample-bk/*"
]
}
]
}
上述策略使 public 可以访问您的所有存储桶对象(还允许 public 删除它们!!)。我的建议是使用 django-storages and presigned urls 允许您的用户访问您的存储桶对象。