如何解锁或删除无意中被存储桶策略锁定的 AWS S3 存储桶?
How do I unlock or delete an AWS S3 bucket that inadvertently locked with a bucket policy?
我是 AWS 账户所有者,管理员(IAM 和 root 密码 - 我知道不推荐,但有一些依赖 root pw 的遗留应用程序)。我最近添加了一个存储桶策略,该策略随后使存储桶锁定为我无法访问:
$ aws s3 rb s3://<my-bucket> --force
A client error (AccessDenied) occurred when calling the ListObjects operation: Access Denied
Completed 1 part(s) with ... file(s) remaining
remove_bucket failed: s3://<my-bucket>/ A client error (AccessDenied) occurred when calling the DeleteBucket operation: Access Denied
我尝试了 CLI 和 AWS S3 控制台,但只收到错误:Sorry! You do not have permissions to view this bucket.
这个桶完全是空的,这让我松了一口气,但我需要使用这个特定的名称,但因为我无法用它做任何事情而卡住了。
我希望我不是唯一经历过这种困境的人。
(P.S。- 我会 post 我使用的确切存储桶策略,但我是使用控制台创建它的,如果我怀疑我输入的某些部分不正确,我无法理解 copy/paste 在这里为您提供...)
此致,杰夫。
由于您是root用户,我认为这种方法可能会有所帮助:
第 1 步:创建 IAM 用户。
第 2 步:创建具有删除存储桶权限的策略并将其与第 1 步中创建的 IAM 用户相关联。
第 3 步:将用户关联到您的 s3 存储桶。
使用创建的用户凭据登录并尝试删除存储桶。
如果您以 root 用户身份登录,请转到 S3 管理控制台并找到存储桶。
Select 列表中的桶没有打开它。
单击 "actions",然后单击 "properties"。
删除 "permissions" 部分中的存储桶策略。
然后使用 "actions" 菜单删除存储桶。
直接来自 AWS 支持:
Hello,
G** here with AWS Support. I understand that your bucket policy for S3
bucket ‘s3-bucket-name’ prevents access, or removal of bucket. There
are a couple of ways you can delete the bucket policy as follows and
then delete the bucket itself:
- Log into the AWS S3 Console with root credentials. Please note that the root account is different than an account with ‘Administrator
Access’ [1]. The root account should have access to modify/delete this
bucket policy. Unfortunately, I have noticed that this is a fickle
option which only works sometimes. OR
- (Option works all of the time) Delete bucket policy through AWS cli as follows (Linux and Windows options):
Via Linux: $ export AWS_DEFAULT_REGION= us-east-1 $ export
AWS_ACCESS_KEY_ID="ROOT_KEY_ID" $ export
AWS_SECRET_ACCESS_KEY="ROOT_SECRET_KEY" $ aws s3api
delete-bucket-policy --bucket s3-bucket-name
Via Windows: set AWS_DEFAULT_REGION= us-east-1 set
AWS_ACCESS_KEY_ID="ROOT_KEY_ID" set
AWS_SECRET_ACCESS_KEY="ROOT_SECRET_KEY" aws s3api delete-bucket-policy
--bucket s3-bucket-name
If so, could you please provide the output for the following after
setting up your root account credentials: $ aws s3api
delete-bucket-policy --bucket s3-bucket-name --debug
Note that these are both using root account credentials. Please
attempt these methods and let me know if you have any issue. I hope
this information was helpful. Please feel free to reach out to me with
any additional questions or concerns.
[1] Root Account vs IAM User -
http://docs.aws.amazon.com/es_es/general/latest/gr/root-vs-iam.html
Best regards, G**
选项 2 对我有用。
干杯!
我是 AWS 账户所有者,管理员(IAM 和 root 密码 - 我知道不推荐,但有一些依赖 root pw 的遗留应用程序)。我最近添加了一个存储桶策略,该策略随后使存储桶锁定为我无法访问:
$ aws s3 rb s3://<my-bucket> --force
A client error (AccessDenied) occurred when calling the ListObjects operation: Access Denied
Completed 1 part(s) with ... file(s) remaining
remove_bucket failed: s3://<my-bucket>/ A client error (AccessDenied) occurred when calling the DeleteBucket operation: Access Denied
我尝试了 CLI 和 AWS S3 控制台,但只收到错误:Sorry! You do not have permissions to view this bucket.
这个桶完全是空的,这让我松了一口气,但我需要使用这个特定的名称,但因为我无法用它做任何事情而卡住了。
我希望我不是唯一经历过这种困境的人。
(P.S。- 我会 post 我使用的确切存储桶策略,但我是使用控制台创建它的,如果我怀疑我输入的某些部分不正确,我无法理解 copy/paste 在这里为您提供...)
此致,杰夫。
由于您是root用户,我认为这种方法可能会有所帮助:
第 1 步:创建 IAM 用户。
第 2 步:创建具有删除存储桶权限的策略并将其与第 1 步中创建的 IAM 用户相关联。
第 3 步:将用户关联到您的 s3 存储桶。
使用创建的用户凭据登录并尝试删除存储桶。
如果您以 root 用户身份登录,请转到 S3 管理控制台并找到存储桶。
Select 列表中的桶没有打开它。
单击 "actions",然后单击 "properties"。
删除 "permissions" 部分中的存储桶策略。
然后使用 "actions" 菜单删除存储桶。
直接来自 AWS 支持:
Hello,
G** here with AWS Support. I understand that your bucket policy for S3 bucket ‘s3-bucket-name’ prevents access, or removal of bucket. There are a couple of ways you can delete the bucket policy as follows and then delete the bucket itself:
- Log into the AWS S3 Console with root credentials. Please note that the root account is different than an account with ‘Administrator Access’ [1]. The root account should have access to modify/delete this bucket policy. Unfortunately, I have noticed that this is a fickle option which only works sometimes. OR
- (Option works all of the time) Delete bucket policy through AWS cli as follows (Linux and Windows options):
Via Linux: $ export AWS_DEFAULT_REGION= us-east-1 $ export AWS_ACCESS_KEY_ID="ROOT_KEY_ID" $ export AWS_SECRET_ACCESS_KEY="ROOT_SECRET_KEY" $ aws s3api delete-bucket-policy --bucket s3-bucket-name
Via Windows: set AWS_DEFAULT_REGION= us-east-1 set AWS_ACCESS_KEY_ID="ROOT_KEY_ID" set AWS_SECRET_ACCESS_KEY="ROOT_SECRET_KEY" aws s3api delete-bucket-policy --bucket s3-bucket-name
If so, could you please provide the output for the following after setting up your root account credentials: $ aws s3api delete-bucket-policy --bucket s3-bucket-name --debug
Note that these are both using root account credentials. Please attempt these methods and let me know if you have any issue. I hope this information was helpful. Please feel free to reach out to me with any additional questions or concerns.
[1] Root Account vs IAM User - http://docs.aws.amazon.com/es_es/general/latest/gr/root-vs-iam.html
Best regards, G**
选项 2 对我有用。
干杯!