如何创建具有 Public 读取权限的存储桶?
How to create a bucket with Public Read Access?
我想对 serverless.yml 文件的 "public" 文件夹中我存储桶中的所有项目启用 Public 读取访问权限。
目前这是我用来声明我的存储桶的定义代码。它是从无服务器堆栈示例之一复制和粘贴的。
Resources:
AttachmentsBucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicRead
# Set the CORS policy
BucketName: range-picker-bucket-${self:custom.stage}
CorsConfiguration:
CorsRules:
-
AllowedOrigins:
- '*'
AllowedHeaders:
- '*'
AllowedMethods:
- GET
- PUT
- POST
- DELETE
- HEAD
MaxAge: 3000
# Print out the name of the bucket that is created
Outputs:
AttachmentsBucketName:
Value:
Ref: AttachmentsBucket
现在,当我尝试对文件使用 url 时,它 returns 访问被拒绝。我必须在 aws-s3 网络界面中手动设置每个文件的 public 读取权限。
我做错了什么?
而不是在存储桶上使用 CorsConfiguration,您需要对它使用 attach a bucket policy。请尝试以下操作:
Resources:
AttachmentsBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: range-picker-bucket-${self:custom.stage}
AttachmentsBucketAllowPublicReadPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref AttachmentsBucket
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "s3:GetObject"
Resource:
- !Join ['/', [!Ref AttachmentsBucket, 'public']]
Principal: "*"
正如其他人所说,您需要实施 存储桶策略 ,例如:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadForGetBucketObjects",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::{NAME_OF_YOUR_BUCKET_HERE}/*"
}
]
}
这可以在 AWS 控制台中完成,方法是选择 Bucket,然后选择 Permissions,然后选择 Bucket Policy。看起来@Milan C. 正在指示如何在 serverless.yml 文件中声明它。
已接受的答案对我不起作用。 CloudFormation 无法更新资源,出现错误:
Action does not apply to any resource(s) in statement (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy; Request ID: <...>; S3 Extended Request ID: <...>; Proxy: null)
资源定义中似乎缺少通配符。对我有用的完整代码段:
PublicBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: 'public-bucket-name'
PublicBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref PublicBucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 's3:GetObject'
Resource:
- !Join ['/', [!GetAtt [PublicBucket, Arn], '*']]
Principal: '*'
我想对 serverless.yml 文件的 "public" 文件夹中我存储桶中的所有项目启用 Public 读取访问权限。
目前这是我用来声明我的存储桶的定义代码。它是从无服务器堆栈示例之一复制和粘贴的。
Resources:
AttachmentsBucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicRead
# Set the CORS policy
BucketName: range-picker-bucket-${self:custom.stage}
CorsConfiguration:
CorsRules:
-
AllowedOrigins:
- '*'
AllowedHeaders:
- '*'
AllowedMethods:
- GET
- PUT
- POST
- DELETE
- HEAD
MaxAge: 3000
# Print out the name of the bucket that is created
Outputs:
AttachmentsBucketName:
Value:
Ref: AttachmentsBucket
现在,当我尝试对文件使用 url 时,它 returns 访问被拒绝。我必须在 aws-s3 网络界面中手动设置每个文件的 public 读取权限。
我做错了什么?
而不是在存储桶上使用 CorsConfiguration,您需要对它使用 attach a bucket policy。请尝试以下操作:
Resources:
AttachmentsBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: range-picker-bucket-${self:custom.stage}
AttachmentsBucketAllowPublicReadPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref AttachmentsBucket
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "s3:GetObject"
Resource:
- !Join ['/', [!Ref AttachmentsBucket, 'public']]
Principal: "*"
正如其他人所说,您需要实施 存储桶策略 ,例如:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadForGetBucketObjects",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::{NAME_OF_YOUR_BUCKET_HERE}/*"
}
]
}
这可以在 AWS 控制台中完成,方法是选择 Bucket,然后选择 Permissions,然后选择 Bucket Policy。看起来@Milan C. 正在指示如何在 serverless.yml 文件中声明它。
已接受的答案对我不起作用。 CloudFormation 无法更新资源,出现错误:
Action does not apply to any resource(s) in statement (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy; Request ID: <...>; S3 Extended Request ID: <...>; Proxy: null)
资源定义中似乎缺少通配符。对我有用的完整代码段:
PublicBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: 'public-bucket-name'
PublicBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref PublicBucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 's3:GetObject'
Resource:
- !Join ['/', [!GetAtt [PublicBucket, Arn], '*']]
Principal: '*'