在跨学会存储桶中生成S3预先签名的URL
我有2个AWS帐户:prod和dev
在prod中,我提供了对存储桶的交叉计数访问,a /code>,通过S3控制台中的ACL设置到dev帐户。我授予此存储桶上dev帐户的所有权限。
此时,我可以在a buck中列出,添加,删除dev帐户凭据下的对象。我认为我应该能够创建预先签名的URL - 但是,我创建的凭据总是在页面中获得访问权限,
是否有一些我未包含的许可,或者我误解了一些?
- 我假设从
dev帐户中提供对对象的读取访问权限将使我能够生成预先签名的URL,这将使我的前端应用程序可以下载文件。 - 我假设从
dev帐户中提供对对象的写入访问权限将使我能够生成预先签名的URL,这将使我的前端应用程序可以上传文件。
我也尝试了另一种方法,使用此链接在dev中创建STS凭据,以假定我在prod中定义的角色,该角色可以授予完整的S3访问bucket a 。类似的结果 - 全部列出,下载和添加对象的能力在水桶中,但我的预设URL仍在显示一个页面上说访问的页面...导致我相信我只是没有授予适当的许可,但似乎找不到文档告诉我哪一个。
预先感谢
编辑 我正在使用的政策
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::a"
}
I have 2 AWS accounts: prod and dev
In prod, I've provided cross-account access to a bucket, a, to the dev account via ACL set in the S3 console. I've granted all permissions to the dev account on this bucket.
At this point I can list, add, remove objects in the a bucket under the dev account credentials. I figured I should be able to create presigned URL's — however, the credentials I create are always AccessDenied in the page
Is there some permission I’ve not included, or something I’m misunderstanding?
- I assumed that providing READ access to objects in this bucket from
devaccount would allow me to generate presigned URL’s that would allow my frontend app to download the files. - I assumed that providing WRITE access to objects in this bucket from
devaccount would allow me to generate presigned URL’s that would allow my frontend app to upload the files.
I’ve tried another approach as well, using this link to create STS credentials in dev to assume a role I’ve defined in prod that grants Full S3 access to bucket a. Similar results — full ability to list, download and add objects in the bucket but my presign URL is still showing a page that says AccessDenied... leading me to believe im just not granting the proper permission, but can't seem to find the docs to tell me which one.
Thanks in advance
EDIT
Policy I'm using
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::a"
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论