在简单的 AWS 用户策略中指定单个存储桶时出现问题
我正在使用 AWS IAM STS(通过 boto)创建用于访问 S3 存储桶的凭证。我不知道以下政策有什么问题。我已经尽可能简化了我的政策,但仍然得到了意想不到的结果。
当我获得用户的令牌时,我附加以下策略:
user_policy_string = r'{"Statement":[{"Effect":"Allow","Action": "s3:*","Resource":"arn:aws:s3:::*"}]}'
这有效,但显然有点过于宽松。在缩小与这些凭据关联的权限范围时,我尝试使用相同的策略,但指定存储桶:
user_policy_string = r'{"Statement":[{"Effect":"Allow","Action": "s3:*","Resource":"arn:aws:s3:::buck_binary_bucket_bay-earth-d5a/*"}]}'
当我尝试访问 S3 时,出现 403 错误。根据AWS文档,我确信这是解决策略中特定存储桶的方法,所以我不知道是什么导致了这种限制。我是否错误地提到了桶?
在 S3 控制台中,策略为空(也尝试添加完全宽松的策略)。对于用于生成STS令牌的AWS账户,策略如下:
"Statement": [
{
"Effect": "Allow",
"Action": "sts:GetFederationToken",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:GetUser",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
I'm using AWS IAM STS (via boto) to create credentials for my accessing an S3 bucket. I'm at a loss as to what's wrong in the following policy. I've simplified my policy down as much as possible and am still getting unexpected results.
When I get the token for the user I attach the following policy:
user_policy_string = r'{"Statement":[{"Effect":"Allow","Action": "s3:*","Resource":"arn:aws:s3:::*"}]}'
This works, but is obviously a little too permissive. In narrowing down the permissions associated with these credentials I attempt to use the same policy, but specify the bucket:
user_policy_string = r'{"Statement":[{"Effect":"Allow","Action": "s3:*","Resource":"arn:aws:s3:::buck_binary_bucket_bay-earth-d5a/*"}]}'
Here I get 403 errors when I try to access S3. Based on the AWS docs I'm sure this is the way to address a specific bucket in the policy, so I'm at a loss as to what could be causing this restriction. Am I referring to the bucket incorrectly?
In the S3 console, the policy is empty (have tried adding a totally permissive policy as well). For the AWS account used to generate the STS tokens, the policy is as follows:
"Statement": [
{
"Effect": "Allow",
"Action": "sts:GetFederationToken",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:GetUser",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您实际上如何尝试访问 S3,即通过哪种工具、服务、API?
通常,用例涉及 S3 API 调用,除了策略已定位的
资源之外,还可以处理不同的资源类型。具体来说,您需要了解服务上的操作之间的差异(例如 < a href="http://docs.amazonwebservices.com/AmazonS3/2006-03-01/API/SOAPListAllMyBuckets.html">ListAllMyBuckets), 存储桶上的操作(例如 ListBucket)和 对对象的操作(例如 GetObject)。如果您的 S3 访问方法还隐式使用任何其他资源类型(即除了您已经通过
buck_binary_bucket_bay-earth-d5a/*寻址的对象资源之外),则这些需要相应的附加策略。例如,在访问对象本身之前能够通过 ListBucket 列出存储桶中的对象的常见要求将需要一个相应的策略片段来寻址存储桶,如下所示:How do you actually try to access S3, i.e. by means of which tool, service, API?
Quite often a use case involves S3 API calls addressing a different resource types as well besides the
Resourcetargeted by the policy already. Specifically, you'll need to be aware of the difference between Operations on the Service (e.g. ListAllMyBuckets), Operations on Buckets (e.g. ListBucket) and Operations on Objects (e.g. GetObject).If your S3 access method implicitly uses any other resource types as well (i.e. besides the object resources you are already addressing via
buck_binary_bucket_bay-earth-d5a/*), these require respective additional policies accordingly. For example, the common requirement of being able to list the objects in the bucket via ListBucket before accessing the objects themselves would require a respective policy fragment addressing the bucket like so: