我得到:
在调用ListObjects操作时发生错误(AccessDenied): AccessDenied
当我试图从S3存储桶中获取文件夹时。
使用该命令:
aws s3 cp s3://bucket-name/data/all-data/ . --recursive
桶的IAM权限如下所示:
{
"Version": "version_id",
"Statement": [
{
"Sid": "some_id",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bucketname/*"
]
}
] }
我需要改变什么才能成功复制和ls ?
当前回答
我尝试了以下方法:
aws s3 ls s3.console.aws.amazon.com/s3/buckets/{bucket name}
这给了我一个错误:
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
使用这种形式是有效的:
aws s3 ls {bucket name}
其他回答
我认为错误是由于“s3:ListObjects”操作,但我不得不添加操作“s3:ListBucket”来解决“AccessDenied for ListObjects for s3 bucket”的问题
您已经授予了对S3桶内的对象执行命令的权限,但没有授予对桶本身执行任何操作的权限。
稍微修改一下你的策略会是这样的:
{
"Version": "version_id",
"Statement": [
{
"Sid": "some_id",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bucketname",
"arn:aws:s3:::bucketname/*"
]
}
]
}
然而,这可能会给予超出所需的许可。遵循AWS IAM授予最小特权的最佳实践将看起来像这样:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucketname"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucketname/*"
]
}
]
}
遇到了类似的问题,对我来说,问题是我在bash_profile中设置了不同的AWS密钥。
我在这里回答了一个类似的问题:https://stackoverflow.com/a/57317494/11871462
如果bash_profile中有冲突的AWS密钥,AWS CLI会默认使用这些密钥。
比起之前的答案,我更喜欢这个。它展示了如何使用YAML格式,并允许您使用一个变量来指定bucket。
- PolicyName: "AllowIncomingBucket"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "s3:*"
Resource:
- !Ref S3BucketArn
- !Join ["/", [!Ref S3BucketArn, '*']]
这是一个对我有用的策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket-name"
]
},
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
]
}
