从 bash 中的 ACL 策略中删除 AllUsers
Remove AllUsers from ACL policy in bash
我收到了这样的 aws 回复
{
"Owner": {
"DisplayName": "2414218.aws",
"ID": "xxxxxxxx"
},
"Grants": [
{
"Grantee": {
"DisplayName": "2414218.aws",
"ID": "yyyyyyyyyy"
},
"Permission": "FULL_CONTROL"
},
{
"Grantee": {
"URI": "http://acs.amazonaws.com/groups/global/AllUsers"
},
"Permission": "READ"
}
]
}
我正在寻找更新文件以便删除 AllUsers(get-object-acl 应该如下所示)
{
"Owner": {
"DisplayName": "2414218.aws",
"ID": "xxxxxxxx"
},
"Grants": [
{
"Grantee": {
"DisplayName": "2414218.aws",
"ID": "yyyyyyyyyy"
},
"Permission": "FULL_CONTROL"
}
]
}
不知道还有哪些其他受赠人可用,我该怎么做?当我看到 http://acs.amazonaws.com/groups/global/AllUsers
时,我特别希望删除受赠人
我目前正在使用 aws s3api get-object-acl --bucket mhe-deployments-prod --key $keyFile | jq '.' 查找政策
可能不是最好的,但是,这个有效
#!/usr/local/bin/bash
# aws ~/.aws/credentials and s3cmd must be configured first with proper creds
target=''
for key in $(aws s3 ls s3://$target --recursive |awk '{print}') ; do
[ "${key: -1}" == "/" ] || {
award=$(aws s3api get-object-acl --bucket $target --key $key |jq '.Grants[].Grantee | .URI' |grep -v 'null' |grep AllUsers)
[ ! -z "${award}" ] && {
policy=$(aws s3api get-object-acl --bucket $target --key $key)
echo "$target: $key\n$policy\n\n" >> /tmp/policy-backup.json
echo -e "Working on: $key"
s3cmd setacl s3://$target/$key --acl-private ## s3cmd must be comfigured to your env
}
}
done
这是一个 jq 过滤器,它将删除所有 .Grants 数组元素,其中 .Grantee.URI 是“http://acs.amazonaws.com/groups/global/AllUsers”:
.Grants |= map( select(.Grantee.URI != "http://acs.amazonaws.com/groups/global/AllUsers") )
输出:按要求
您可以使用 AWS CLI 中的内置 --query 选项。好处是您不需要任何外部工具:
aws s3api get-object-acl --bucket $BUCKET --key $KEY \
--query "{Owner: Owners, \
Grants: Grants[?Grantee.URI != 'http://acs.amazonaws.com/groups/global/AllUsers']}"
在这个问题中指定的授权也可以直接用del删除。例如
del(
.Grants[]
| select(.Grantee.URI == "http://acs.amazonaws.com/groups/global/AllUsers")
)
我收到了这样的 aws 回复
{
"Owner": {
"DisplayName": "2414218.aws",
"ID": "xxxxxxxx"
},
"Grants": [
{
"Grantee": {
"DisplayName": "2414218.aws",
"ID": "yyyyyyyyyy"
},
"Permission": "FULL_CONTROL"
},
{
"Grantee": {
"URI": "http://acs.amazonaws.com/groups/global/AllUsers"
},
"Permission": "READ"
}
]
}
我正在寻找更新文件以便删除 AllUsers(get-object-acl 应该如下所示)
{
"Owner": {
"DisplayName": "2414218.aws",
"ID": "xxxxxxxx"
},
"Grants": [
{
"Grantee": {
"DisplayName": "2414218.aws",
"ID": "yyyyyyyyyy"
},
"Permission": "FULL_CONTROL"
}
]
}
不知道还有哪些其他受赠人可用,我该怎么做?当我看到 http://acs.amazonaws.com/groups/global/AllUsers
我目前正在使用 aws s3api get-object-acl --bucket mhe-deployments-prod --key $keyFile | jq '.' 查找政策
可能不是最好的,但是,这个有效
#!/usr/local/bin/bash
# aws ~/.aws/credentials and s3cmd must be configured first with proper creds
target=''
for key in $(aws s3 ls s3://$target --recursive |awk '{print}') ; do
[ "${key: -1}" == "/" ] || {
award=$(aws s3api get-object-acl --bucket $target --key $key |jq '.Grants[].Grantee | .URI' |grep -v 'null' |grep AllUsers)
[ ! -z "${award}" ] && {
policy=$(aws s3api get-object-acl --bucket $target --key $key)
echo "$target: $key\n$policy\n\n" >> /tmp/policy-backup.json
echo -e "Working on: $key"
s3cmd setacl s3://$target/$key --acl-private ## s3cmd must be comfigured to your env
}
}
done
这是一个 jq 过滤器,它将删除所有 .Grants 数组元素,其中 .Grantee.URI 是“http://acs.amazonaws.com/groups/global/AllUsers”:
.Grants |= map( select(.Grantee.URI != "http://acs.amazonaws.com/groups/global/AllUsers") )
输出:按要求
您可以使用 AWS CLI 中的内置 --query 选项。好处是您不需要任何外部工具:
aws s3api get-object-acl --bucket $BUCKET --key $KEY \
--query "{Owner: Owners, \
Grants: Grants[?Grantee.URI != 'http://acs.amazonaws.com/groups/global/AllUsers']}"
在这个问题中指定的授权也可以直接用del删除。例如
del(
.Grants[]
| select(.Grantee.URI == "http://acs.amazonaws.com/groups/global/AllUsers")
)