I need to have some generated S3 bucket with all avavilable permissions - READ and WRITE are mandatatory.
我需要有一些生成的S3存储桶具有所有可用的权限 - READ和WRITE是强制性的。
I tried so far to make it using this code:
到目前为止,我尝试使用此代码:
var createBucketParams = {Bucket: bucketName, ACL: 'public-read-write', GrantFullControl:'FULL_CONTROL'};
S3.createBucket(createBucketParams, function(err, data) {
if (err) {
console.log("Error while calling createBucket() - Error: " + err);
} else {
console.log("Successfully Bucket created.");
}
});
My problem is that the permissions are not working well, i'm getting AccessDenied while trying to getObject(), any ideas how to solve it ?
我的问题是权限不能很好,我在尝试getObject()时遇到了AccessDenied,任何想法如何解决?
EDIT: This is my current code with all the latest changes:
编辑:这是我当前的代码,包含所有最新的更改:
before(() => {
console.log("Mocking AWS.DynamoDB.DocumentClient API");
AWSMock.mock('DynamoDB.DocumentClient', 'put', function(params, callback) {
callback(null, "Mock: successfully put object in DynamoDB");
});
console.log("Mocking AWS.S3 API");
AWSMock.mock('S3', 'createBucket', function (params, callback){
callback(null, "successfully bucket created in S3");
});
AWSMock.mock('S3', 'putObject', function (params, callback){
callback(null, "successfully put item in S3");
});
AWSMock.mock('S3', 'getObject', function (params, callback){
callback(null, "successfully get item in S3");
});
AWSMock.mock('S3', 'putBucketPolicy', function (params, callback){
callback(null, "successfully putBucketPolicy in S3");
});
});
it('Writing a file to S3 with user metadata - when data is valid JSON and updating the DB is Succeed',
function(done) {
var bucketName = 'my.unique.bucket.name';
var fileName = 'fileName.csv';
var s3Policy = {
"Version":"2012-10-17",
"Id":"http referer policy example",
"Statement":[
{
"Sid":"Allow get requests originating from www.example.com and example.com.",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:GetObject,s3:PutObject"],
"Resource": "arn:aws:s3:::" + bucketName + "/*",
"Condition": {
"IpAddress": {"aws:SourceIp": "127.0.0.1"},
"NotIpAddress": {"aws:SourceIp": "127.0.0.1"}
}
}
]
};
var S3 = new AWS.S3();
var createBucketParams = {Bucket: bucketName, ACL: "FULL_CONTROL", Region: "us-west-2"};
S3.createBucket(createBucketParams, function(err, data) {
if (err) {
console.log("Error while calling createBucket() - Error: " + err);
} else {
console.log("Successfully Bucket created.");
}
});
var putBucketPolicyParams = {
Bucket: bucketName,
Policy: JSON.stringify(s3Policy)
};
S3.putBucketPolicy(putBucketPolicyParams, function(err, data) {
if (err) console.log(err, err.stack);
else console.log(data);
});
var putObjectParams = {Bucket: bucketName,
Key: fileName,
Body: 'Hello!',
Metadata: {startDate: "2016-12-12T12:34:56.000Z", endDate:"2016-12-31T12:34:56.000Z",
userName:"someUser",
originalFileName:"fileName.csv"}};
S3.putObject(putObjectParams, function(err, data) {
if (err) {
console.log(err, err.stack)
} else {
console.log("Successfully put a file to bucket");
}
});
LambdaTester(myHandler)
.event(JSON.parse(JSON.stringify(require('./testcases/single_record_with_user_metadata.json'))))
.expectSucceed(function(result) {
expect(result.valid).to.be.true;
})
.verify(done);
});
And the usage in the js file:
以及js文件中的用法:
S3.getObject(s3FileParams, function(err, data) {
if (err) {
var message = "Error while trying to get file object " + fullFileName + " from bucket " + bucketName + ". Make sure they exist and your bucket is in the same region as this function. Error: " + err;
console.error(message);
// console.log(err, err.stack);
console.log(JSON.stringify(err, null, 2));
} else {
userMetaDataJson = JSON.parse(JSON.stringify(data.Metadata));
}
resolve();
})
1 个解决方案
#1
1
S3 offers two types of policy:
S3提供两种类型的策略:
- resource-based
- 资源型
- user-based
- 基于用户的
You're (correctly) trying to apply a resource-based policy. For resource-based policies, you have a further two options:
您(正确地)尝试应用基于资源的策略。对于基于资源的策略,您还有两个选项:
- Access Control Lists (ACL)
- 访问控制列表(ACL)
- bucket policy
- 桶政策
You're trying to apply an ACL in which case you should read the 'Mapping of ACL Permissions and Access Policy Permissions' section in the documentation. Specifically, when you grant the READ ACL on a bucket, you are permitting the following:
您正在尝试应用ACL,在这种情况下,您应该阅读文档中的“ACL权限和访问策略权限的映射”部分。具体来说,当您在存储桶上授予READ ACL时,您将允许以下操作:
- s3:ListBucket
- S3:ListBucket
- s3:ListBucketVersions
- S3:ListBucketVersions
- s3:ListBucketMultipartUploads
- S3:ListBucketMultipartUploads
Note specifically that you are not permitting s3:GetObject. To do that, you would supply the READ ACL on each object when you put objects into the bucket.
请特别注意,您不允许使用s3:GetObject。为此,当您将对象放入存储桶时,您将在每个对象上提供READ ACL。
OK, all that ACL stuff aside, you should probably be using a bucket policy instead of ACLs. Bucket policies supplement, and in many cases replace, ACL-based access policies. Here is an example policy that grants the s3:GetObject permission to all users. You will also have to add PutObject to allow them to upload (and other actions as necessary for list, delete etc. as appropriate). You can set a bucket policy using putBucketPolicy.
好的,除了ACL之外,您应该使用存储桶策略而不是ACL。存储桶策略是对基于ACL的访问策略的补充,在许多情况下是替代。以下是向所有用户授予s3:GetObject权限的示例策略。您还必须添加PutObject以允许它们上传(以及根据需要进行列表,删除等所需的其他操作)。您可以使用putBucketPolicy设置存储桶策略。
#1
1
S3 offers two types of policy:
S3提供两种类型的策略:
- resource-based
- 资源型
- user-based
- 基于用户的
You're (correctly) trying to apply a resource-based policy. For resource-based policies, you have a further two options:
您(正确地)尝试应用基于资源的策略。对于基于资源的策略,您还有两个选项:
- Access Control Lists (ACL)
- 访问控制列表(ACL)
- bucket policy
- 桶政策
You're trying to apply an ACL in which case you should read the 'Mapping of ACL Permissions and Access Policy Permissions' section in the documentation. Specifically, when you grant the READ ACL on a bucket, you are permitting the following:
您正在尝试应用ACL,在这种情况下,您应该阅读文档中的“ACL权限和访问策略权限的映射”部分。具体来说,当您在存储桶上授予READ ACL时,您将允许以下操作:
- s3:ListBucket
- S3:ListBucket
- s3:ListBucketVersions
- S3:ListBucketVersions
- s3:ListBucketMultipartUploads
- S3:ListBucketMultipartUploads
Note specifically that you are not permitting s3:GetObject. To do that, you would supply the READ ACL on each object when you put objects into the bucket.
请特别注意,您不允许使用s3:GetObject。为此,当您将对象放入存储桶时,您将在每个对象上提供READ ACL。
OK, all that ACL stuff aside, you should probably be using a bucket policy instead of ACLs. Bucket policies supplement, and in many cases replace, ACL-based access policies. Here is an example policy that grants the s3:GetObject permission to all users. You will also have to add PutObject to allow them to upload (and other actions as necessary for list, delete etc. as appropriate). You can set a bucket policy using putBucketPolicy.
好的,除了ACL之外,您应该使用存储桶策略而不是ACL。存储桶策略是对基于ACL的访问策略的补充,在许多情况下是替代。以下是向所有用户授予s3:GetObject权限的示例策略。您还必须添加PutObject以允许它们上传(以及根据需要进行列表,删除等所需的其他操作)。您可以使用putBucketPolicy设置存储桶策略。