S3存储桶的基本AWS IAM权限

时间:2022-07-07 10:46:40

I'm trying to figure out a basic permission set for an IAM user/key to have to have access to only a single bucket in S3 - only read/write access on an individual bucket.

我试图弄清楚IAM用户/密钥的基本权限集必须只能访问S3中的单个存储桶 - 只对单个存储桶进行读/写访问。

What set of permissions is the minimum required to make this work? I have all options selected in the IAM policy generator for S3, all permissions enabled on the bucket except CreateBucket and DeleteBucket. I've also created a set of keys specific to this user.

使这项工作所需的最低权限是什么?我在S3的IAM策略生成器中选择了所有选项,除了CreateBucket和DeleteBucket之外,在桶上启用了所有权限。我还创建了一组特定于此用户的密钥。

When I try to access the bucket with these credentials, I get a problem listing buckets, even though the ListAllMyBuckets property is enabled.

当我尝试使用这些凭据访问存储桶时,即使启用了ListAllMyBuckets属性,我也会遇到列出存储桶的问题。

Anyone have any experience setting up a basic bucket config like this? Seems like it would be pretty common...

有没有经验设置这样的基本桶配置?好像很常见......

2 个解决方案

#1


12  

The Example Policies for Amazon S3 cover various use cases similar or related to yours - specifically you might probably want to combine Example 1: Allow each user to have a home directory in Amazon S3 with Example 2: Allow a user to list only the objects in his or her home directory in the corporate bucket - you'd just need to adjust the Resource to target your buckets root directory instead, i.e. replace /home/bob/*with *.

Amazon S3的示例策略涵盖了与您类似或相关的各种用例 - 特别是您可能希望将示例1:允许每个用户在Amazon S3中使用示例2:允许用户仅列出对象中的主目录他或她在公司存储桶中的主目录 - 您只需要调整资源来定位您的存储桶根目录,即将/ home / bob / *替换为*。

Please note that Example 2 facilitates ListBucket, which is an operation on a bucket that returns information about some of the items in the bucket, whereas ListAllMyBuckets is an operation on the service that returns a list of all buckets owned by the sender of the request, so likely not applicable to your use case (see my comment regarding clarification of the latter).

请注意,示例2有助于ListBucket,它是一个桶上的操作,返回桶中某些项的信息,而ListAllMyBuckets是对服务的操作,返回请求发送方拥有的所有桶的列表,很可能不适用于您的用例(请参阅我对后者的澄清的评论)。

#2


0  

This will permit to list all buckets assuming you are not denying it somewhere else (I am 99% sure deny statements are evaluated first; order does not matter with IAM policies):

这将允许列出所有桶,假设您没有在其他地方拒绝它(我99%肯定拒绝语句首先被评估;顺序与IAM策略无关):

    {
        "Effect": "Allow",
        "Action": [
            "s3:ListAllMyBuckets"
        ],
        "Resource": "*"
    }

Permit whatever you want for your buckets (Don't forget the /* also):

允许任何你想要的桶(不要忘记/ *):

    {
        "Effect": "Allow",
        "Action": [
            "s3:<Put your actions here; cherry pick from the AWS documentation>"
        ],
        "Resource": [
            "arn:aws:s3:::<Bucket name here>",
            "arn:aws:s3:::<Bucket name here>/*"
        ]
    }

#1


12  

The Example Policies for Amazon S3 cover various use cases similar or related to yours - specifically you might probably want to combine Example 1: Allow each user to have a home directory in Amazon S3 with Example 2: Allow a user to list only the objects in his or her home directory in the corporate bucket - you'd just need to adjust the Resource to target your buckets root directory instead, i.e. replace /home/bob/*with *.

Amazon S3的示例策略涵盖了与您类似或相关的各种用例 - 特别是您可能希望将示例1:允许每个用户在Amazon S3中使用示例2:允许用户仅列出对象中的主目录他或她在公司存储桶中的主目录 - 您只需要调整资源来定位您的存储桶根目录,即将/ home / bob / *替换为*。

Please note that Example 2 facilitates ListBucket, which is an operation on a bucket that returns information about some of the items in the bucket, whereas ListAllMyBuckets is an operation on the service that returns a list of all buckets owned by the sender of the request, so likely not applicable to your use case (see my comment regarding clarification of the latter).

请注意,示例2有助于ListBucket,它是一个桶上的操作,返回桶中某些项的信息,而ListAllMyBuckets是对服务的操作,返回请求发送方拥有的所有桶的列表,很可能不适用于您的用例(请参阅我对后者的澄清的评论)。

#2


0  

This will permit to list all buckets assuming you are not denying it somewhere else (I am 99% sure deny statements are evaluated first; order does not matter with IAM policies):

这将允许列出所有桶,假设您没有在其他地方拒绝它(我99%肯定拒绝语句首先被评估;顺序与IAM策略无关):

    {
        "Effect": "Allow",
        "Action": [
            "s3:ListAllMyBuckets"
        ],
        "Resource": "*"
    }

Permit whatever you want for your buckets (Don't forget the /* also):

允许任何你想要的桶(不要忘记/ *):

    {
        "Effect": "Allow",
        "Action": [
            "s3:<Put your actions here; cherry pick from the AWS documentation>"
        ],
        "Resource": [
            "arn:aws:s3:::<Bucket name here>",
            "arn:aws:s3:::<Bucket name here>/*"
        ]
    }