I am looking for modifying S3 bucket policy using boto/boto3. I have found two modes in boto3 through which we can perform operation on bucket policy.
我正在寻找使用boto / boto3修改S3存储桶策略。我在boto3中找到了两种模式,通过它们可以对存储桶策略执行操作。
# i can get bucket policy object as follows
import boto3
s3_conn = boto3.resource('s3')
bucket_policy = s3_conn.BucketPolicy('bucket_name')
# i can make put(), load(), policy on bucket_policy object.
#similar in other way i can use following code
policy = s3_conn.get_bucket_policy(Bucket='bucket_name')
# similar to this there are two other calls put_bucket_policy and delete_bucket_policy.
I am looking for update bucket policy in which i can add more attributes.
我正在寻找更新存储桶策略,我可以在其中添加更多属性。
eg. I want to add one more entry under Statement key of following policy.
例如。我想在以下策略的Statement键下添加一个条目。
{
"Version": "2012-10-17",
"Id": "Policy14564645656",
"Statement": [{
"Sid": "Stmt1445654645618",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::6164563645030:root"
},
"Action": "s3:Get*",
"Resource": "arn:aws:s3:::bucket_name/abc/*"
}]
}
Is there any straight forward way to do this. One very weird way is to add entry in JSON then PUT this as new policy but i am looking for call which allows user to update the policy without knowing exiting policy.
有没有直接的方法来做到这一点。一种非常奇怪的方式是在JSON中添加条目然后将其作为新策略PUT但我正在寻找允许用户在不知道退出策略的情况下更新策略的调用。
2 个解决方案
#1
1
IAM does not provide a way to update a policy without providing a whole, valid policy as a replacement. You need to perform a PUT, passing in the original policy name.
IAM没有提供更新策略的方法,也没有提供完整,有效的策略作为替代。您需要执行PUT,传入原始策略名称。
#2
0
Current boto3 API doesn't have a function to APPEND the bucket policy, whether add another items/elements/attributes. You need load and manipulate the JSON yourself. E.g. write script load the policy into a dict, append the "Statement" element list, then use the policy.put to replace the whole policy. Without the original statement id, user policy will be appended. HOWEVER, there is no way to tell whether later user policy will override rules of the earlier one.
当前的boto3 API没有附加存储桶策略的功能,无论是否添加其他项/元素/属性。您需要自己加载和操作JSON。例如。 write脚本将策略加载到dict中,附加“Statement”元素列表,然后使用policy.put替换整个策略。如果没有原始语句ID,将附加用户策略。但是,没有办法判断以后的用户策略是否会覆盖前一个用户策略的规则。
For example
例如
import boto3
s3_re = boto3.resource('s3')
bucket_policy = s3_res.BucketPolicy('bucket_name')
# Or use client to get Bucket policy
s3_client = boto3.client('s3')
policy = s3_client.get_bucket_policy(Bucket='bucket_name')
# assign policy using s3 resource
user_policy = { "Effect": "Allow",... }
new_policy = policy['Statement'].append(user_policy)
bucket_policy.put(Policy=new_policy)
The user don't need know the old policy in the process.
用户不需要知道该过程中的旧策略。
#1
1
IAM does not provide a way to update a policy without providing a whole, valid policy as a replacement. You need to perform a PUT, passing in the original policy name.
IAM没有提供更新策略的方法,也没有提供完整,有效的策略作为替代。您需要执行PUT,传入原始策略名称。
#2
0
Current boto3 API doesn't have a function to APPEND the bucket policy, whether add another items/elements/attributes. You need load and manipulate the JSON yourself. E.g. write script load the policy into a dict, append the "Statement" element list, then use the policy.put to replace the whole policy. Without the original statement id, user policy will be appended. HOWEVER, there is no way to tell whether later user policy will override rules of the earlier one.
当前的boto3 API没有附加存储桶策略的功能,无论是否添加其他项/元素/属性。您需要自己加载和操作JSON。例如。 write脚本将策略加载到dict中,附加“Statement”元素列表,然后使用policy.put替换整个策略。如果没有原始语句ID,将附加用户策略。但是,没有办法判断以后的用户策略是否会覆盖前一个用户策略的规则。
For example
例如
import boto3
s3_re = boto3.resource('s3')
bucket_policy = s3_res.BucketPolicy('bucket_name')
# Or use client to get Bucket policy
s3_client = boto3.client('s3')
policy = s3_client.get_bucket_policy(Bucket='bucket_name')
# assign policy using s3 resource
user_policy = { "Effect": "Allow",... }
new_policy = policy['Statement'].append(user_policy)
bucket_policy.put(Policy=new_policy)
The user don't need know the old policy in the process.
用户不需要知道该过程中的旧策略。