如何仅允许对 Amazon S3 存储桶中特定目录的 PutObject 权限
How to allow only PutObject permissions on specific directory in Amazon S3 bucket
我正在尝试为 Amazon IAM 用户配置一个允许他们仅向 s3 存储桶的特定文件夹执行上传的策略。
策略写成这样我就可以成功上传图片了:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Put*"
],
"Resource": "*"
}
]
}
我的上传功能(在带有浏览器端 javascript aws-sdk 的 coffeescript 中):
s3.putObject data, (err, data) =>
if err
console.log err
console.log 'Error uploading data: ', data
else
console.log 'succesfully uploaded the image!'
但是我想将权限范围限制为仅允许 putObject,并且仅在特定目录中。我认为此政策会奏效,但它会引发 403 错误:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my_bucket/example_directory"
}
]
}
我的政策是否有语法错误,或者我做错了什么?我对编写 IAM 策略还是个新手。
更新
通过让以下代码在 IAM 模拟器中运行,我取得了一些进展,但不幸的是,尽管我说应该允许 putObject,但当我尝试实际上传时,它仍然抛出 403 错误。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject*"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"s3:PutObjectAcl*",
"s3:PutObjectVersionAcl*"
],
"Resource": "*"
}
]
}
尝试:
"Resource": "arn:aws:s3:::my_bucket/example_directory/*"
我终于按预期工作了,关键是我必须在 Deny 部分使用 NotAction 和 NotResource。
见以下代码:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject*"
],
"Resource": [
"arn:aws:s3:::mybucket/myfolder",
"arn:aws:s3:::mybucket/myfolder/*"
]
},
{
"Effect": "Deny",
"NotAction": [
"s3:PutObjectAcl*",
"s3:PutObjectVersionAcl*"
],
"NotResource": [
"arn:aws:s3:::mybucket/myfolder",
"arn:aws:s3:::mybucket/myfolder/*"
]
}
]
}
我正在尝试为 Amazon IAM 用户配置一个允许他们仅向 s3 存储桶的特定文件夹执行上传的策略。
策略写成这样我就可以成功上传图片了:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Put*"
],
"Resource": "*"
}
]
}
我的上传功能(在带有浏览器端 javascript aws-sdk 的 coffeescript 中):
s3.putObject data, (err, data) =>
if err
console.log err
console.log 'Error uploading data: ', data
else
console.log 'succesfully uploaded the image!'
但是我想将权限范围限制为仅允许 putObject,并且仅在特定目录中。我认为此政策会奏效,但它会引发 403 错误:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my_bucket/example_directory"
}
]
}
我的政策是否有语法错误,或者我做错了什么?我对编写 IAM 策略还是个新手。
更新
通过让以下代码在 IAM 模拟器中运行,我取得了一些进展,但不幸的是,尽管我说应该允许 putObject,但当我尝试实际上传时,它仍然抛出 403 错误。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject*"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"s3:PutObjectAcl*",
"s3:PutObjectVersionAcl*"
],
"Resource": "*"
}
]
}
尝试:
"Resource": "arn:aws:s3:::my_bucket/example_directory/*"
我终于按预期工作了,关键是我必须在 Deny 部分使用 NotAction 和 NotResource。
见以下代码:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject*"
],
"Resource": [
"arn:aws:s3:::mybucket/myfolder",
"arn:aws:s3:::mybucket/myfolder/*"
]
},
{
"Effect": "Deny",
"NotAction": [
"s3:PutObjectAcl*",
"s3:PutObjectVersionAcl*"
],
"NotResource": [
"arn:aws:s3:::mybucket/myfolder",
"arn:aws:s3:::mybucket/myfolder/*"
]
}
]
}