用于上传和查看图片的 Amazon S3 存储桶策略
Amazon S3 bucket policy for uploading and viewing pictures
我有一个应用程序,用户可以使用 facebook 登录,然后可以将图像上传到 s3 存储桶并查看它们。我使用 Cognito 服务允许每个登录用户上传和查看所有文件。
我不知道如何在 s3 存储桶上设置正确的权限。这是我的尝试,但我无法保存政策并获得 Statement is missing required element - Statement "NO_ID-0" is missing "Principal" element
{
"Version": "2012-10-17",
"Id": "Policy1457546546214",
"Statement": [
{
"Sid": "Stmt1475657256771436",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/*"
},
{
"Sid": "Stmt16577654572138125",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": [
"bucket-name/identity-pool-id*"
]
}
]
}
这是客户端部分,如果有帮助:
FB.login(function (response) {
if (response.authResponse) {
AWS.config.region = 'eu-west-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'eu-west-1:xxxxxxxxxxx',
Logins: {
'graph.facebook.com': response.authResponse.accessToken
}
})
var bucket = new AWS.S3({params: {Bucket: 'name'}})
var fileChooser = document.getElementById('file-chooser')
var button = document.getElementById('upload-button')
button.addEventListener('click', function() {
var file = fileChooser.files[0]
var params = {Key: file.name, ContentType: file.type, Body: file}
bucket.upload(params, function (err, data) {
...
认知 IAM > Roles > Cognito_myappAuth_Role:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cognito-identity:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::bucket/${cognito-identity.amazonaws.com:sub}/*",
"arn:aws:s3:::bucket/${cognito-identity.amazonaws.com:sub}"
]
}
]
}
你检查过this blog post了吗?它有一个很好的示例,说明如何设置允许用户访问 S3 存储桶的角色。删除列表桶部分,您 link 对身份池角色的访问策略可能如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/${cognito-identity.amazonaws.com:sub}/*"]
}
]
}
编辑:
Tl;dr 来自未来读者的评论:
将策略应用于池的身份验证角色而不是存储桶
如果应用程序用例需要公共区域,请使用存储桶根目录,否则为策略中定义的每个身份使用一个目录(如博客中所述)
角色本身只有在身份验证发生后才会应用。该策略仅定义了返回的凭据将有权执行的操作以及执行的操作。
我有一个应用程序,用户可以使用 facebook 登录,然后可以将图像上传到 s3 存储桶并查看它们。我使用 Cognito 服务允许每个登录用户上传和查看所有文件。
我不知道如何在 s3 存储桶上设置正确的权限。这是我的尝试,但我无法保存政策并获得 Statement is missing required element - Statement "NO_ID-0" is missing "Principal" element
{
"Version": "2012-10-17",
"Id": "Policy1457546546214",
"Statement": [
{
"Sid": "Stmt1475657256771436",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/*"
},
{
"Sid": "Stmt16577654572138125",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": [
"bucket-name/identity-pool-id*"
]
}
]
}
这是客户端部分,如果有帮助:
FB.login(function (response) {
if (response.authResponse) {
AWS.config.region = 'eu-west-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'eu-west-1:xxxxxxxxxxx',
Logins: {
'graph.facebook.com': response.authResponse.accessToken
}
})
var bucket = new AWS.S3({params: {Bucket: 'name'}})
var fileChooser = document.getElementById('file-chooser')
var button = document.getElementById('upload-button')
button.addEventListener('click', function() {
var file = fileChooser.files[0]
var params = {Key: file.name, ContentType: file.type, Body: file}
bucket.upload(params, function (err, data) {
...
认知 IAM > Roles > Cognito_myappAuth_Role:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cognito-identity:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::bucket/${cognito-identity.amazonaws.com:sub}/*",
"arn:aws:s3:::bucket/${cognito-identity.amazonaws.com:sub}"
]
}
]
}
你检查过this blog post了吗?它有一个很好的示例,说明如何设置允许用户访问 S3 存储桶的角色。删除列表桶部分,您 link 对身份池角色的访问策略可能如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/${cognito-identity.amazonaws.com:sub}/*"]
}
]
}
编辑:
Tl;dr 来自未来读者的评论:
将策略应用于池的身份验证角色而不是存储桶
如果应用程序用例需要公共区域,请使用存储桶根目录,否则为策略中定义的每个身份使用一个目录(如博客中所述)
角色本身只有在身份验证发生后才会应用。该策略仅定义了返回的凭据将有权执行的操作以及执行的操作。