I have an Amazon S3 bucket that I make public with a policy like this
我有一个Amazon S3存储桶,我通过这样的策略公开
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow Public Access to All Objects",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket/*"
}
]
}
My bucket is now visible as http://bucket.s3-website-us-east-1.amazonaws.com/
我的桶现在可以看作http://bucket.s3-website-us-east-1.amazonaws.com/
I see others refer to their bucket as http://s3-us-east-1.amazonaws.com/bucket/
我看到其他人将他们的桶称为http://s3-us-east-1.amazonaws.com/bucket/
I would prefer the 2nd URL, but it gives an Access Denied.
我更喜欢第二个URL,但它会拒绝访问。
How can I change my policy to allow the 2nd URL ?
如何更改我的政策以允许第二个网址?
1 个解决方案
#1
28
The URL structure you're referring to is called the REST endpoint, as opposed to the Web Site Endpoint.
您引用的URL结构称为REST端点,而不是Web站点端点。
Note: Since this answer was originally written, S3 has rolled out dualstack support on REST endpoints, using new hostnames, while leaving the existing hostnames in place. This is now integrated into the information provided, below.
注意:由于最初编写此答案,因此S3使用新的主机名在REST端点上推出了双栈支持,同时保留了现有的主机名。现将其整合到下面提供的信息中。
If your bucket is really in the us-east-1 region of AWS -- which the S3 documentation formerly referred to as the "US Standard" region, but was subsequently officially renamed to the "U.S. East (N. Virginia) Region" -- then http://s3-us-east-1.amazonaws.com/bucket/ is not the correct form for that endpoint, even though it looks like it should be. The correct format for that region is either http://s3.amazonaws.com/bucket/ or http://s3-external-1.amazonaws.com/bucket/.¹
如果您的存储桶确实位于AWS的us-east-1区域 - S3文档以前称为“美国标准”区域,但后来正式更名为“美国东部(弗吉尼亚北部)地区” - - 然后http://s3-us-east-1.amazonaws.com/bucket/不是该端点的正确形式,即使它看起来应该是这样。该区域的正确格式为http://s3.amazonaws.com/bucket/或http://s3-external-1.amazonaws.com/bucket/.¹
The format you're using is applicable to all the other S3 regions, but not
US Standard
US East (N. Virginia) [us-east-1].
您使用的格式适用于所有其他S3区域,但不适用于美国标准美国东部(弗吉尼亚北部)[us-east-1]。
S3 now also has dual-stack endpoint hostnames for the REST endpoints, and unlike the original endpoint hostnames, the names of these have a consistent format across regions, for example s3.dualstack.us-east-1.amazonaws.com. These endpoints support both IPv4 and IPv6 connectivity and DNS resolution, but are otherwise functionally equivalent to the existing REST endpoints.
S3现在还具有REST端点的双栈端点主机名,与原始端点主机名不同,这些端口的名称在不同区域具有一致的格式,例如s3.dualstack.us-east-1.amazonaws.com。这些端点支持IPv4和IPv6连接以及DNS解析,但在功能上与现有REST端点等效。
If your permissions and configuration are set up such that the web site endpoint works, then the REST endpoint should work, too.
如果您的权限和配置已设置为使网站端点正常工作,那么REST端点也应该可以正常工作。
However... the two endpoints do not offer the same functionality.
但是......两个端点不提供相同的功能。
Roughly speaking, the REST endpoint is better-suited for machine access and the web site endpoint is better suited for human access, since the web site endpoint offers friendly error messages, index documents, and redirects, while the REST endpoint doesn't. On the other hand, the REST endpoint offers HTTPS and support for signed URLs, while the web site endpoint doesn't.
粗略地说,REST端点更适合于机器访问,并且网站端点更适合人类访问,因为网站端点提供友好的错误消息,索引文档和重定向,而REST端点则不然。另一方面,REST端点提供HTTPS并支持签名URL,而网站端点则不提供。
Choose the correct type of endpoint (REST or web site) for your application:
为您的应用选择正确类型的端点(REST或网站):
http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteEndpoints.html#WebsiteRestEndpointDiff
http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteEndpoints.html#WebsiteRestEndpointDiff
¹ s3-external-1.amazonaws.com has been referred to as the "Northern Virginia endpoint," in contrast to the "Global endpoint" s3.amazonaws.com. It was unofficially possible to get read-after-write consistency on new objects in this region if the "s3-external-1" hostname was used, because this would send you to a subset of possible physical endpoints that could provide that functionality. This behavior is now officially supported on this endpoint, so this is probably the better choice in many applications. Previously, s3-external-2 had been referred to as the "Pacific Northwest endpoint" for US-Standard, though it is now a CNAME in DNS for s3-external-1 so s3-external-2 appears to have no purpose except backwards-compatibility.
与“全球终点”s3.amazonaws.com相比,¹s3-external-1.amazonaws.com被称为“北弗吉尼亚终点”。如果使用“s3-external-1”主机名,则非正式地可以在此区域中的新对象上获得写后读写一致性,因为这会将您发送到可提供该功能的可能物理端点的子集。此端点现在正式支持此行为,因此这可能是许多应用程序中更好的选择。以前,s3-external-2被称为美国标准的“太平洋西北端点”,虽然它现在是s3-external-1的DNS中的CNAME,所以s3-external-2似乎没有任何目的,除了倒退-兼容性。
#1
28
The URL structure you're referring to is called the REST endpoint, as opposed to the Web Site Endpoint.
您引用的URL结构称为REST端点,而不是Web站点端点。
Note: Since this answer was originally written, S3 has rolled out dualstack support on REST endpoints, using new hostnames, while leaving the existing hostnames in place. This is now integrated into the information provided, below.
注意:由于最初编写此答案,因此S3使用新的主机名在REST端点上推出了双栈支持,同时保留了现有的主机名。现将其整合到下面提供的信息中。
If your bucket is really in the us-east-1 region of AWS -- which the S3 documentation formerly referred to as the "US Standard" region, but was subsequently officially renamed to the "U.S. East (N. Virginia) Region" -- then http://s3-us-east-1.amazonaws.com/bucket/ is not the correct form for that endpoint, even though it looks like it should be. The correct format for that region is either http://s3.amazonaws.com/bucket/ or http://s3-external-1.amazonaws.com/bucket/.¹
如果您的存储桶确实位于AWS的us-east-1区域 - S3文档以前称为“美国标准”区域,但后来正式更名为“美国东部(弗吉尼亚北部)地区” - - 然后http://s3-us-east-1.amazonaws.com/bucket/不是该端点的正确形式,即使它看起来应该是这样。该区域的正确格式为http://s3.amazonaws.com/bucket/或http://s3-external-1.amazonaws.com/bucket/.¹
The format you're using is applicable to all the other S3 regions, but not
US Standard
US East (N. Virginia) [us-east-1].
您使用的格式适用于所有其他S3区域,但不适用于美国标准美国东部(弗吉尼亚北部)[us-east-1]。
S3 now also has dual-stack endpoint hostnames for the REST endpoints, and unlike the original endpoint hostnames, the names of these have a consistent format across regions, for example s3.dualstack.us-east-1.amazonaws.com. These endpoints support both IPv4 and IPv6 connectivity and DNS resolution, but are otherwise functionally equivalent to the existing REST endpoints.
S3现在还具有REST端点的双栈端点主机名,与原始端点主机名不同,这些端口的名称在不同区域具有一致的格式,例如s3.dualstack.us-east-1.amazonaws.com。这些端点支持IPv4和IPv6连接以及DNS解析,但在功能上与现有REST端点等效。
If your permissions and configuration are set up such that the web site endpoint works, then the REST endpoint should work, too.
如果您的权限和配置已设置为使网站端点正常工作,那么REST端点也应该可以正常工作。
However... the two endpoints do not offer the same functionality.
但是......两个端点不提供相同的功能。
Roughly speaking, the REST endpoint is better-suited for machine access and the web site endpoint is better suited for human access, since the web site endpoint offers friendly error messages, index documents, and redirects, while the REST endpoint doesn't. On the other hand, the REST endpoint offers HTTPS and support for signed URLs, while the web site endpoint doesn't.
粗略地说,REST端点更适合于机器访问,并且网站端点更适合人类访问,因为网站端点提供友好的错误消息,索引文档和重定向,而REST端点则不然。另一方面,REST端点提供HTTPS并支持签名URL,而网站端点则不提供。
Choose the correct type of endpoint (REST or web site) for your application:
为您的应用选择正确类型的端点(REST或网站):
http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteEndpoints.html#WebsiteRestEndpointDiff
http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteEndpoints.html#WebsiteRestEndpointDiff
¹ s3-external-1.amazonaws.com has been referred to as the "Northern Virginia endpoint," in contrast to the "Global endpoint" s3.amazonaws.com. It was unofficially possible to get read-after-write consistency on new objects in this region if the "s3-external-1" hostname was used, because this would send you to a subset of possible physical endpoints that could provide that functionality. This behavior is now officially supported on this endpoint, so this is probably the better choice in many applications. Previously, s3-external-2 had been referred to as the "Pacific Northwest endpoint" for US-Standard, though it is now a CNAME in DNS for s3-external-1 so s3-external-2 appears to have no purpose except backwards-compatibility.
与“全球终点”s3.amazonaws.com相比,¹s3-external-1.amazonaws.com被称为“北弗吉尼亚终点”。如果使用“s3-external-1”主机名,则非正式地可以在此区域中的新对象上获得写后读写一致性,因为这会将您发送到可提供该功能的可能物理端点的子集。此端点现在正式支持此行为,因此这可能是许多应用程序中更好的选择。以前,s3-external-2被称为美国标准的“太平洋西北端点”,虽然它现在是s3-external-1的DNS中的CNAME,所以s3-external-2似乎没有任何目的,除了倒退-兼容性。