S3 存储桶策略设置一个文件夹可由引用 URL 读取,另一个文件夹仅对 AWS 用户可用
S3 bucket policy to set a folder readable by a referring URL, and another folder only available to AWS user
我们在 URL www.example.com 中有一个 Laravel 应用程序 运行 的结构,并连接到一个包含 3 个文件夹的存储桶。
folder_a
folder_b
folder_c
理想情况下,我们希望该应用能够:
- 上传对象到三个文件夹
- 从 folder_a 获取对象(但仅限于来自 www.example.com/example.com 的请求,而不是互联网上的任何地方(避免热链接和直接 URL 访问)
此外,folder_b 和 folder_c 应该绝对禁止访问互联网(不列出文件夹,甚至知道 URL 也不会获取对象)
同时,IAM 用户应该能够访问所有内容,upload/download/edit/delete 所有内容。
我们尝试了很多桶策略都没有成功。我们已成功创建 IAM 用户,我们的 Laravel 应用程序已将对象发送到 S3。
NOTE: This is not about Laravel configuration, it's about S3 bucket policies. The app is already sending objects to S3 correctly, and all objects are public now
假设您最终想要摆脱 S3 存储桶的 public 可访问性,因为这通常不是一个好主意,除非您只允许一些静态、无害的文件。
这是存储桶策略:
{
"Version": "2012-10-17",
"Statement": [
// this one make sure only ListBucket api calls from laravel user are allowed
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234567890:user/<laravel_iam_user>"
},
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<yourbucket>"
]
},
// this one make sure only upload api calls from laravel user are allowed
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234567890:user/<laravel_iam_user>"
},
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<yourbucket>/folder_a/*",
"arn:aws:s3:::<yourbucket>/folder_b/*",
"arn:aws:s3:::<yourbucket>/folder_c/*"
]
},
// this one make sure only download api calls from www.example.com/example.com are allowed
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<yourbucket>/folder_a/*"
],
"Condition": {
"StringLike": {"aws:Referer":["http://www.example.com/*","http://example.com/*"]}
}
}
]
}
编辑:由于 OP 实际上想要 public 访问部分存储桶,因此不应检查所有 4 public 访问块设置。
我们在 URL www.example.com 中有一个 Laravel 应用程序 运行 的结构,并连接到一个包含 3 个文件夹的存储桶。
folder_a
folder_b
folder_c
理想情况下,我们希望该应用能够:
- 上传对象到三个文件夹
- 从 folder_a 获取对象(但仅限于来自 www.example.com/example.com 的请求,而不是互联网上的任何地方(避免热链接和直接 URL 访问)
此外,folder_b 和 folder_c 应该绝对禁止访问互联网(不列出文件夹,甚至知道 URL 也不会获取对象)
同时,IAM 用户应该能够访问所有内容,upload/download/edit/delete 所有内容。
我们尝试了很多桶策略都没有成功。我们已成功创建 IAM 用户,我们的 Laravel 应用程序已将对象发送到 S3。
NOTE: This is not about Laravel configuration, it's about S3 bucket policies. The app is already sending objects to S3 correctly, and all objects are public now
假设您最终想要摆脱 S3 存储桶的 public 可访问性,因为这通常不是一个好主意,除非您只允许一些静态、无害的文件。
这是存储桶策略:
{
"Version": "2012-10-17",
"Statement": [
// this one make sure only ListBucket api calls from laravel user are allowed
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234567890:user/<laravel_iam_user>"
},
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<yourbucket>"
]
},
// this one make sure only upload api calls from laravel user are allowed
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234567890:user/<laravel_iam_user>"
},
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<yourbucket>/folder_a/*",
"arn:aws:s3:::<yourbucket>/folder_b/*",
"arn:aws:s3:::<yourbucket>/folder_c/*"
]
},
// this one make sure only download api calls from www.example.com/example.com are allowed
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<yourbucket>/folder_a/*"
],
"Condition": {
"StringLike": {"aws:Referer":["http://www.example.com/*","http://example.com/*"]}
}
}
]
}
编辑:由于 OP 实际上想要 public 访问部分存储桶,因此不应检查所有 4 public 访问块设置。