我遵循这个答案的说明来生成以下S3桶策略:
{
"Id": "Policy1495981680273",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1495981517155",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::surplace-audio",
"Principal": "*"
}
]
}
我得到以下错误:
操作不适用于语句中的任何资源
我的保单中遗漏了什么?
当前回答
您还可以为每个文件夹配置ListBuckets,如下所示
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSESPuts-1521238702575",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::buckets.email/*",
"Condition": {
"StringEquals": {
"aws:Referer": "[red]"
}
}
},
{
"Sid": "Stmt1586754972129",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::596322993031:user/[red]"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::buckets.email",
"Condition": {
"StringEquals": {
"s3:delimiter": "/",
"s3:prefix": [
"",
"domain.co",
"domain.co/user"
]
}
}
},
{
"Sid": "Stmt1586754972129",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::596322993031:user/[red]"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::buckets.email",
"Condition": {
"StringLike": {
"s3:prefix": "domain.co/user/*"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::596322993031:user/[red]"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::buckets.email/domain.co/user/*"
}
]
}
这些规则与SES一起用于接收电子邮件,但允许外部用户查看SES放入bucket中的文件。 我按照这里的说明做了:https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/
此外,必须将prefix指定为域。co/user/ WITH在使用SDK时,否则你将被拒绝访问。希望能对大家有所帮助
其他回答
我发现我的ListBuckets没有工作,因为IAM原则没有ListAllMyBuckets权限。
要解决这个问题,您需要在策略规则中找到Resource,并在数组中添加arn桶,一个带*,第二个末尾不带*。这将修复错误。
{
"Version": "2012-10-17",
"Id": "Policy3783783783738",
"Statement": [
{
"Sid": "Stmt1615891730703",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::76367367633:user/magazine-demo-root-user"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetBucketLocation",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:Get*",
"s3:Put*"
],
"Resource": [
"arn:aws:s3:::magazine-demo",
"arn:aws:s3:::magazine-demo/*"
]
}
]
}
只需在json policy resource中做一个更改。
"Resource": ["arn:aws:s3:::bucket-name/*"]
注意:在bucket-name后面加/*
参考文档: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html
您必须检查Policy-的Resource标记下定义的arn模式
“资源”:“当arn: aws s3::: s3mybucketname / *
在桶的公共访问策略被解除后,如果你遇到这个问题,在结尾添加“/*”将有助于解决这个问题。
您可能有几个策略语句,这个错误是非常普遍的。最好的方法是注释除任何一个以外的所有其他语句(如GetObject,或ListBuckets,或PutObject)并执行代码并查看。如果工作正常,就意味着ARN路径是正确的。否则,ARN应该单独包含桶名或包含/*的桶名。
一些资源(如ListBucket)接受ARN的全名,如“ARN:aws:s3:::bucket_name”,而GetObject或PutObject要求bucket_name后面有一个/*。根据服务更改arn,现在应该可以工作了!
