我有一个名为 Role1 的角色。该角色应用了以下策略。
我有一个 IAM 角色为 Role1 的 ec2 实例。
当我尝试 conn.get_bucket('fooo_udata') 时,我返回了 403 错误。
对此有什么想法吗?
{
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListAllMyBuckets"],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket","s3:GetBucketLocation","s3:*"],
"Resource": ["arn:aws:s3:::fooo_uadata/","arn:aws:s3:::fooo_uadata/*"]
},
{
"Effect": "Allow",
"Action": ["s3:PutObject","s3:GetObject","s3:DeleteObject"],
"Resource": ["arn:aws:s3:::fooo_uadata/","arn:aws:s3:::fooo_uadata/*"]
}
]
}
最佳答案
我认为您不想在存储桶策略中包含“/”字符。所以,尝试改变:
{
"Effect": "Allow",
"Action": ["s3:ListBucket","s3:GetBucketLocation","s3:*"],
"Resource": ["arn:aws:s3:::fooo_uadata/","arn:aws:s3:::fooo_uadata/*"]
},
对此:
{
"Effect": "Allow",
"Action": ["s3:ListBucket","s3:GetBucketLocation","s3:*"],
"Resource": ["arn:aws:s3:::fooo_uadata","arn:aws:s3:::fooo_uadata*"]
},
因为您的存储桶的名称是 foo_uadata 而不是 foo_uadata/。
关于amazon-s3 - Boto 无法使用 S3 IAM 角色进行身份验证,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/17623273/