我在存储桶上设置了权限,允许“Authenticated Users”从我创建的存储桶中列出,上传和删除。这似乎允许我将文件上传到存储桶,但看起来这个权限不包括从存储桶下载文件,而是需要为存储桶定义策略。我不清楚如何制定这样的政策。我在我应该填写的内容中尽可能地猜测了策略生成器,但是当我将其作为新的策略粘贴到存储桶时,结果不是有效的策略(它失败并显示消息Action does not apply to any resource(s) in statement - Action "s3:ListBucket" in Statement "Stmt-some-number")。有人可以解释以下策略的问题以及如何正确设置它以允许经过身份验证的用户从存储桶中检索文件吗?
{
"Id": "Policy-some-number",
"Statement": [
{
"Sid": "Stmt-some-number",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
答案 0 :(得分:82)
s3:GetObject适用于存储桶中的对象,因此资源是正确的:"Resource": "arn:aws:s3:::my-bucket/*"。
s3:ListBucket适用于Bucket本身,因此资源应为"Resource": "arn:aws:s3:::my-bucket"
您的结果政策应该类似于:
{
"Id": "Policy-some-number",
"Statement": [
{
"Sid": "Stmt-some-number",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "Stmt-some-other-number",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
答案 1 :(得分:32)
赞美@ c4urself答案。答案也有助于解决我的问题,但AWS文档中有一些指示,您可以添加多个资源,只需使用[]将它们作为列表。 http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html#vpc-endpoints-s3-bucket-policies
{
"Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"]
}
]
}
答案 2 :(得分:-1)
{
"Version": "2012-10-17",
"Id": "Policy1546023103427",
"Statement": [
{
"Sid": "Stmt1546023101836",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::usagereports-atul",
"arn:aws:s3:::usagereports-atul/*"
]
}
]
}