前端之家

  1. 首页
  2. 问答

如何限制用户仅查看特定的存储桶

问答

我有一组用户:user1和user2。理想情况下,他们应该有权在自己的存储桶中进行读取和写入。

我想给他们控制台访问权限,以便他们可以通过拖放登录和上传S3中的数据。

因此,我希望一个用户能够查看其他用户的存储桶。

我正在使用以下IAM策略:

{
  "Version": "2012-10-17","Statement": [
    {
      "Effect": "Allow","action": [
        "s3:ListBucket","s3:GetBucketLocation","s3:ListBucketMultipartUploads"
      ],"Resource": "arn:aws:s3:::user1_bucket","Condition": {}
    },{
      "Effect": "Allow","action": [
        "s3:AbortMultipartUpload","s3:DeleteObject","s3:DeleteObjectVersion","s3:GetObject","s3:GetObjectAcl","s3:GetObjectVersion","s3:GetObjectVersionAcl","s3:PutObject","s3:PutObjectAcl","s3:PutObjectVersionAcl"
      ],"Resource": "arn:aws:s3:::user1_bucket/*","Condition": {}
    }
  ]
}

但是它不会为用户显示任何存储桶。用户只能看到拒绝访问。 我试图在策略中添加主体:

{
    "Version": "2012-10-17","Statement": [
        {
            "Effect": "Allow","Principal": {"AWS": "arn:aws:iam::9xxxxxxxxxx:user/user1"},"action": "s3:*","Resource": [
                "arn:aws:s3:::user1_bucket"
            ]
        }
    ]
}

这给出了一个错误。

This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar,see AWS IAM Policies

我该怎么办?

diwukongjian 回答:如何限制用户仅查看特定的存储桶

有两种方法可以执行此操作。

存储桶策略:您可以通过附加策略来选择谁可以访问和控制所述存储桶。您的案例示例:

{
    "Version": "2012-10-17","Statement": [
        {
            "Sid": "bucketAccess","Effect": "Allow","Principal": {
                "AWS": "arn:aws:iam::AWS-account-ID:user/user-name"
            },"Action": [
                "s3:GetObject","s3:AbortMultipartUpload","s3:DeleteObject","s3:DeleteObjectVersion","s3:GetObjectAcl","s3:GetObjectVersion","s3:GetObjectVersionAcl","s3:PutObject","s3:PutObjectAcl","s3:PutObjectVersionAcl"
            ],"Resource": [
                "arn:aws:s3:::examplebucket/*"
            ]
        }
    ]
}

来源:Bucket Policy Examples - Amazon Simple Storage Service

或者您可以通过角色策略授予访问权限,我认为这样更好。您几乎拥有了它,但是最后一团糟。您的政策应如下所示:

{
    "Version": "2012-10-17","Statement": [
        {
            "Effect": "Allow","Action": [
                "s3:ListAllMyBuckets"
            ],"Resource": "arn:aws:s3:::"
        },{
            "Effect": "Allow","Action": [
                "s3:ListBucket","s3:GetBucketLocation"
            ],"Resource": "arn:aws:s3:::examplebucket"
        },"Action": [
                "s3:PutObject","s3:GetObject","s3:DeleteObject"
            ],"Resource": "arn:aws:s3:::examplebucket/"
        }
    ]
}

来源:User Policy Examples - Amazon Simple Storage Service

我希望这会有所帮助。

,

您的要求似乎是:

  • 用户应该能够使用Amazon S3管理控制台访问(查看,上传,下载)自己的S3存储桶
  • 他们应该不能能够查看其他存储桶的名称,也不能访问这些存储桶

带有列表桶

第一个要求可以通过以下政策来满足:

{
    "Version": "2012-10-17","Statement": [
        {
            "Sid": "AccessThisBucket","Action": "s3:*","Resource": [
                "arn:aws:s3:::my-bucket","arn:aws:s3:::my-bucket/*"
            ]
        },{
            "Sid": "ListAllBucketForS3Console","Action": "s3:ListAllMyBuckets","Resource": "arn:aws:s3:::*"
        }
    ]
}

这允许他们访问其特定存储桶,但也允许他们列出所有存储桶名称。这是Amazon S3管理控制台的要求,因为它要做的第一件事就是列出所有存储桶。

没有列表存储桶

但是,由于您不想让这些用户列出所有存储桶的名称,因此可以使用以下策略:

{
    "Version": "2012-10-17","Statement": [
        {
            "Sid": "VisualEditor0","arn:aws:s3:::my-bucket/*"
            ]
        }
    ]
}

这使他们可以完全访问自己的存储桶,但是他们无法列出其他存储桶的名称。

要在管理控制台中使用此功能,他们将需要使用以下网址直接直接跳转到其存储桶

https://console.aws.amazon.com/s3/buckets/my-bucket

这将允许他们访问和使用其存储桶。

他们还将能够使用AWS Command-Line Interface (CLI)命令,例如:

aws s3 ls s3://my-bucket
aws s3 cp foo.txt s3://my-bucket/foo.txt

底线::要在未经许可的情况下使用管理控制台列出所有存储桶,他们将需要使用直接跳转到其存储桶的URL。

amazon-iamamazon-s3amazon-web-services
本文链接:https://www.f2er.com/3118745.html

大家都在问