我正在创建一个需要以编程方式对S3进行读写访问的用户.
I am creating a user that needs a read and write access to S3 programatically.
在直接附加现有策略"下,有太多策略,我不知道我需要哪一个.
Under "Attach existing policies directly" there are too many policies and I don't know which of them is the one I need.
推荐答案如果您希望授予一个IAM用户访问Amazon S3中的执行任何操作的功能,您只需附加 AmazonS3FullAccess 政策,该政策授予:
If you wish to grant one IAM User access to do anything in Amazon S3, you can simply attach the AmazonS3FullAccess policy, which grants:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "*" } ] }但是,这使他们可以执行任何操作(包括删除存储桶).通常,将为用户分配给定存储桶的特定权限,例如此内联策略:
However, this lets them do anything (including deleting buckets). Normally, people would be assigned specific permissions for a given bucket, such as this inline policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObjectAcl", "s3:GetObject", "s3:ListBucket", "s3:DeleteObject", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::my-bucket/*", "arn:aws:s3:::my-bucket" ] }, { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" } ] }请注意,某些操作适用于存储桶本身,而其他操作则适用于存储桶的内容(/* ).
Note that some actions apply to the bucket itself, while other applies to the contents (/*) of the bucket.
更多推荐
直接附加现有策略以以编程方式访问S3
发布评论