直接附加现有策略以以编程方式访问S3

本文介绍了直接附加现有策略以以编程方式访问S3的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我正在创建一个需要以编程方式对S3进行读写访问的用户.

I am creating a user that needs a read and write access to S3 programatically.

在直接附加现有策略"下，有太多策略，我不知道我需要哪一个.

Under "Attach existing policies directly" there are too many policies and I don't know which of them is the one I need.

推荐答案

如果您希望授予一个IAM用户访问Amazon S3中的执行任何操作的功能，您只需附加 AmazonS3FullAccess 政策，该政策授予:

If you wish to grant one IAM User access to do anything in Amazon S3, you can simply attach the AmazonS3FullAccess policy, which grants:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "*" } ] }

但是，这使他们可以执行任何操作(包括删除存储桶).通常，将为用户分配给定存储桶的特定权限，例如此内联策略:

However, this lets them do anything (including deleting buckets). Normally, people would be assigned specific permissions for a given bucket, such as this inline policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObjectAcl", "s3:GetObject", "s3:ListBucket", "s3:DeleteObject", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::my-bucket/*", "arn:aws:s3:::my-bucket" ] }, { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" } ] }

请注意，某些操作适用于存储桶本身，而其他操作则适用于存储桶的内容(/* ).

Note that some actions apply to the bucket itself, while other applies to the contents (/*) of the bucket.