我在亚马逊 s3 上创建了一个存储桶,并添加了存储桶策略,授予另一个用户帐户上传文件的权限。我添加了以下存储桶策略。
但是,现在我自己无法下载分享者上传的文件。我想我还没有给他们 acl 权限。我应该如何继续下载文件。他们可以从他们的一端授予上传文件的权限吗?
{
"Version": "2008-10-17",
"Id": "Policyxxxxxxxxxxxx",
"Statement": [
{
"Sid": "Stmtxxxxxxxxxxxxx",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_number>:root"
},
"Action": [
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<bucket_name>/*"
},
{
"Sid": "Stmtxxxxxxxxxxx",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_number>:root"
},
"Action": [
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::<bucket_name>"
}
]
}
最佳答案
所以问题是亚马逊 s3 存储桶仅将存储桶策略应用于存储桶所有者拥有的对象。因此,如果您是存储桶所有者并通过存储桶策略授予了放置对象的权限,则意味着您还需要确保他们在对象上传期间授予您权限。在授予跨账户上传对象的权限时,可以仅限制具有只读权限的对象。
来源:http://docs.aws.amazon.com/AmazonS3/latest/dev/AccessPolicyLanguage_UseCases_s3_a.html 相关讨论:https://forums.aws.amazon.com/thread.jspa?messageID=524342&%20#524342 存储桶策略示例:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"111",
"Effect":"Allow",
"Principal":{
"AWS":"1111111111"
},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::examplebucket/*"
},
{
"Sid":"112",
"Effect":"Deny",
"Principal":{
"AWS":"1111111111"
},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::examplebucket/*",
"Condition":{
"StringNotEquals":{
"s3:x-amz-grant-full-control":[
"emailAddress=xyz@amazon.com"
]
}
}
}
]
}
关于amazon-web-services - 无法下载共享帐户 s3 存储桶上传的文件,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/22944054/