AWS:s3 存储桶策略不允许 IAM 用户访问上传到存储桶,抛出 403 错误
AWS: s3 bucket policy does not give IAM user access to upload to bucket, throws 403 error
我有一个 S3 存储桶,它与根凭据(AWS_ACCESS_KEY_ID 和 AWS_SECRET_ACCESS_KEY)完美配合,可以将文件上传到存储桶。
我创建了一个 IAM 用户。
我试图通过创建此 policy 并将其附加到该存储桶来授予此 IAM 用户 将文件上传到该存储桶的特权:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement2",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::122xxxxxxxx28:user/iam-user-name"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket-name"
}
]
}
但是,当我尝试上传文件时,出现此错误:
> PUT
> https://bucket-name.s3.region-code.amazonaws.com/images/60ded1353752602bf4b364ee.jpeg?Content-Type=image%2F%2A&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIARZARRPPIBMVEWKUW%2F20220128%2Feu-west-3%2Fs3%2Faws4_request&X-Amz-Date=20220128T123229Z&X-Amz-Expires=300&X-Amz-Signature=dfdc3d92f6e52da5387c113ddd793990d1033fdd7318b42b2573594835c01643&X-Amz-SignedHeaders=host%3Bx-amz-acl&x-amz-acl=public-read
> 403 (Forbidden)
上传是这样的:
- 我在后端生成一个预签名-url:
var getImageSignedUrl = async function (key) {
return new Promise((resolve, reject) => {
s3.getSignedUrl(
"putObject",
{
Bucket: AWS_BUCKET_NAME,
Key: key,
ContentType: "image/*",
ACL: "public-read",
Expires: 300,
},
(err, url) => {
if (err) {
reject(err);
} else {
resolve(url);
}
}
);
});
};
- 然后使用 url:
在前端上传文件
await axios.put(uploadConfig.url, file, {
headers: {
"Content-Type": file.type,
"x-amz-acl": "public-read",
},
transformRequest: (data, headers) => {
delete headers.common["Authorization"];
return data;
},
});
您可能需要更换:
"Resource": "arn:aws:s3:::bucket-name"
与:
"Resource": ["arn:aws:s3:::bucket-name","arn:aws:s3:::bucket-name/*"]
S3:PutObject 等操作适用于存储桶中的特定对象,例如:bucket-name/image_1.png,因此添加通配符资源可以访问这些对象操作。
我有一个 S3 存储桶,它与根凭据(AWS_ACCESS_KEY_ID 和 AWS_SECRET_ACCESS_KEY)完美配合,可以将文件上传到存储桶。
我创建了一个 IAM 用户。
我试图通过创建此 policy 并将其附加到该存储桶来授予此 IAM 用户 将文件上传到该存储桶的特权:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement2",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::122xxxxxxxx28:user/iam-user-name"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket-name"
}
]
}
但是,当我尝试上传文件时,出现此错误:
> PUT
> https://bucket-name.s3.region-code.amazonaws.com/images/60ded1353752602bf4b364ee.jpeg?Content-Type=image%2F%2A&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIARZARRPPIBMVEWKUW%2F20220128%2Feu-west-3%2Fs3%2Faws4_request&X-Amz-Date=20220128T123229Z&X-Amz-Expires=300&X-Amz-Signature=dfdc3d92f6e52da5387c113ddd793990d1033fdd7318b42b2573594835c01643&X-Amz-SignedHeaders=host%3Bx-amz-acl&x-amz-acl=public-read
> 403 (Forbidden)
上传是这样的:
- 我在后端生成一个预签名-url:
var getImageSignedUrl = async function (key) {
return new Promise((resolve, reject) => {
s3.getSignedUrl(
"putObject",
{
Bucket: AWS_BUCKET_NAME,
Key: key,
ContentType: "image/*",
ACL: "public-read",
Expires: 300,
},
(err, url) => {
if (err) {
reject(err);
} else {
resolve(url);
}
}
);
});
};
- 然后使用 url: 在前端上传文件
await axios.put(uploadConfig.url, file, {
headers: {
"Content-Type": file.type,
"x-amz-acl": "public-read",
},
transformRequest: (data, headers) => {
delete headers.common["Authorization"];
return data;
},
});
您可能需要更换:
"Resource": "arn:aws:s3:::bucket-name"
与:
"Resource": ["arn:aws:s3:::bucket-name","arn:aws:s3:::bucket-name/*"]
S3:PutObject 等操作适用于存储桶中的特定对象,例如:bucket-name/image_1.png,因此添加通配符资源可以访问这些对象操作。