I'm trying to figure out a basic permission set for an IAM user/key to have to have access to only a single bucket in S3 - only read/write access on an individual bucket.
我试图弄清楚IAM用户/密钥的基本权限集必须只能访问S3中的单个存储桶 - 只对单个存储桶进行读/写访问。
What set of permissions is the minimum required to make this work? I have all options selected in the IAM policy generator for S3, all permissions enabled on the bucket except CreateBucket
and DeleteBucket
. I've also created a set of keys specific to this user.
使这项工作所需的最低权限是什么?我在S3的IAM策略生成器中选择了所有选项,除了CreateBucket和DeleteBucket之外,在桶上启用了所有权限。我还创建了一组特定于此用户的密钥。
When I try to access the bucket with these credentials, I get a problem listing buckets, even though the ListAllMyBuckets
property is enabled.
当我尝试使用这些凭据访问存储桶时,即使启用了ListAllMyBuckets属性,我也会遇到列出存储桶的问题。
Anyone have any experience setting up a basic bucket config like this? Seems like it would be pretty common...
有没有经验设置这样的基本桶配置?好像很常见......
2 个解决方案
#1
12
The Example Policies for Amazon S3 cover various use cases similar or related to yours - specifically you might probably want to combine Example 1: Allow each user to have a home directory in Amazon S3 with Example 2: Allow a user to list only the objects in his or her home directory in the corporate bucket - you'd just need to adjust the Resource
to target your buckets root directory instead, i.e. replace /home/bob/*
with *
.
Amazon S3的示例策略涵盖了与您类似或相关的各种用例 - 特别是您可能希望将示例1:允许每个用户在Amazon S3中使用示例2:允许用户仅列出对象中的主目录他或她在公司存储桶中的主目录 - 您只需要调整资源来定位您的存储桶根目录,即将/ home / bob / *替换为*。
Please note that Example 2 facilitates ListBucket, which is an operation on a bucket that returns information about some of the items in the bucket, whereas ListAllMyBuckets is an operation on the service that returns a list of all buckets owned by the sender of the request, so likely not applicable to your use case (see my comment regarding clarification of the latter).
请注意,示例2有助于ListBucket,它是一个桶上的操作,返回桶中某些项的信息,而ListAllMyBuckets是对服务的操作,返回请求发送方拥有的所有桶的列表,很可能不适用于您的用例(请参阅我对后者的澄清的评论)。
#2
0
This will permit to list all buckets assuming you are not denying it somewhere else (I am 99% sure deny statements are evaluated first; order does not matter with IAM policies):
这将允许列出所有桶,假设您没有在其他地方拒绝它(我99%肯定拒绝语句首先被评估;顺序与IAM策略无关):
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*"
}
Permit whatever you want for your buckets (Don't forget the /* also):
允许任何你想要的桶(不要忘记/ *):
{
"Effect": "Allow",
"Action": [
"s3:<Put your actions here; cherry pick from the AWS documentation>"
],
"Resource": [
"arn:aws:s3:::<Bucket name here>",
"arn:aws:s3:::<Bucket name here>/*"
]
}
#1
12
The Example Policies for Amazon S3 cover various use cases similar or related to yours - specifically you might probably want to combine Example 1: Allow each user to have a home directory in Amazon S3 with Example 2: Allow a user to list only the objects in his or her home directory in the corporate bucket - you'd just need to adjust the Resource
to target your buckets root directory instead, i.e. replace /home/bob/*
with *
.
Amazon S3的示例策略涵盖了与您类似或相关的各种用例 - 特别是您可能希望将示例1:允许每个用户在Amazon S3中使用示例2:允许用户仅列出对象中的主目录他或她在公司存储桶中的主目录 - 您只需要调整资源来定位您的存储桶根目录,即将/ home / bob / *替换为*。
Please note that Example 2 facilitates ListBucket, which is an operation on a bucket that returns information about some of the items in the bucket, whereas ListAllMyBuckets is an operation on the service that returns a list of all buckets owned by the sender of the request, so likely not applicable to your use case (see my comment regarding clarification of the latter).
请注意,示例2有助于ListBucket,它是一个桶上的操作,返回桶中某些项的信息,而ListAllMyBuckets是对服务的操作,返回请求发送方拥有的所有桶的列表,很可能不适用于您的用例(请参阅我对后者的澄清的评论)。
#2
0
This will permit to list all buckets assuming you are not denying it somewhere else (I am 99% sure deny statements are evaluated first; order does not matter with IAM policies):
这将允许列出所有桶,假设您没有在其他地方拒绝它(我99%肯定拒绝语句首先被评估;顺序与IAM策略无关):
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*"
}
Permit whatever you want for your buckets (Don't forget the /* also):
允许任何你想要的桶(不要忘记/ *):
{
"Effect": "Allow",
"Action": [
"s3:<Put your actions here; cherry pick from the AWS documentation>"
],
"Resource": [
"arn:aws:s3:::<Bucket name here>",
"arn:aws:s3:::<Bucket name here>/*"
]
}