我正在尝试列出S3存储桶中的所有文件。但是不断出现错误,拒绝访问。我认为我的IAM用户具有必要的权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SID",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetLifecycleConfiguration",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTorrent",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListMultipartUploadParts",
"s3:PutBucketAcl",
"s3:PutBucketCORS",
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketRequestPayment",
"s3:PutBucketTagging",
"s3:PutBucketVersioning",
"s3:PutBucketWebsite",
"s3:PutLifecycleConfiguration",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl",
"s3:RestoreObject"
],
"Resource": [
"arn:aws:s3:::bucket/*"
]
}
]
}
如果我授予对S3的完全访问权限(AmazonS3FullAccess策略),我可以列出对象。可能是什么问题?我想我只删除了在自定义策略中删除和创建存储桶的权限。
当我添加对同一策略的完全访问权限时:
"Action": [
"s3:*"
],
我仍然无法列出对象。但是使用当前权限,我可以上载和删除对象。
最佳答案
刚找到答案!该策略中允许的操作是正确的。问题出在Resource上。我正在使用这个:
"Resource": [
"arn:aws:s3:::bucket/*"
]
但看起来它没有授予存储桶根目录的权限。没有完全访问权限。因此,要使其正常工作,我们必须像这样删除
/:"Resource": [
"arn:aws:s3:::bucket*"
]
现在,它就像一种魅力一样工作。
关于amazon-web-services - 可以上传文件,但不能列出S3存储桶对象。获取访问被拒绝错误,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/35811337/