AWS存储桶策略

本文介绍了AWS存储桶策略-权限被拒绝的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我正在尝试向另一个AWS账户中的用户授予存储桶itv-twitterstg-archive的访问权限，并且添加了以下存储桶策略.他们说他们收到了拒绝权限的消息.任何人都可以看到此政策的任何问题或推荐我可以尝试的其他方法吗? (ps，在此示例中，我已更改了存储桶的名称).保存后，水桶政策也应立即生效吗?

I'm trying to give a user from another AWS account access to the bucket itv-twitterstg-archive and I've added the following bucket policy. They say they are getting a permission denied message. Can anyone see any issues with this policy or recommend anything else I can try? (ps, I've changed the name of the bucket for this example). Also should a buckets policy come into effect as soon as you save it?

编辑**总结一下，我希望账户AWS AWS 456456615374的用户twitterstg-backup能够执行以下操作:

EDIT** To summarise, I want the user twitterstg-backup from account AWS account 456456615374 to be able to perform these actions:

"s3:GetObject*" "s3:PutObject" "s3:PutObjectAcl" "s3:DeleteObject" "s3:GetBucketLocation" "s3:GetBucketAcl" "s3:ListBucket"

.

{ "Version": "2012-10-17", "Id": "twitterstg backup policy", "Statement": [ { "Sid": "Allow read/write of Objects within archive from specific user", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::456456615374:user/twitterstg-backup" }, "Action": [ "s3:GetObject*", "s3:PutObject", "s3:PutObjectAcl", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::itv-twitterstg-archive/*" }, { "Sid": "Allow read/list of archive Bucket from specific user", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::456456615374:user/twitterstg-backup" }, "Action": [ "s3:GetBucketLocation", "s3:GetBucketAcl", "s3:ListBucket" ], "Resource": "arn:aws:s3:::itv-twitterstg-archive" } ] }

推荐答案

问题"中列出的您的政策对我来说非常正常！

Your policy as listed in the Question is working perfectly fine for me!

这就是我所做的:

在帐户A中:

• 创建了IAM用户(User-A)
• 获得了访问密钥&用户的秘密密钥

在帐户B中:

• 创建了Amazon S3存储桶(Bucket-B)
• 将您的策略​​添加为存储桶策略，并进行了一些更改:
  • 作为Principal，我插入了User-1
  的ARN
  • 作为Resource，使用了我的Amazon S3存储桶的名称
  • Created an Amazon S3 bucket (Bucket-B)
  • Added your policy as the Bucket Policy, with some changes:
    • As Principal, I inserted the ARN of User-1
    • As Resource, used the name of my Amazon S3 bucket

    然后我使用User-A中的凭据列出Bucket-B的内容:

    I then used the credentials from User-A to list the contents of Bucket-B:

    aws s3 ls s3://bucket-b --profile user-a

    我还复制了一个文件到Bucket-B:

    I also copied a file to Bucket-B:

    aws s3 cp foo s3://bucket-b --profile user-a

    底线:正常.您应该调查用户出问题的原因.您还应该尝试重现他们的处境(例如，自己尝试).

    Bottom line: It's working fine. You should investigate why your users are having a problem. You should also try to reproduce their situation (eg by trying it for yourself).