我已经使用Bucket Policy配置了我的S3存储桶,看起来像这样
{
"Version": "2012-10-17",
"Id": "Policy100000000000",
"Statement": [
{
"Sid": "Stmt1463490591045",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/*"
},
{
"Sid": "Stmt1463490591012",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::012345678900:user/user1",
"arn:aws:iam::012345678900:user/user2"
]
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucketname"
},
{
"Sid": "Stmt1463490660089",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::012345678900:user/user1",
"arn:aws:iam::012345678900:user/user2"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/*.xml"
}
]
}
目标是仅允许桶根中的xml文件访问所选用户。该规则似乎不起作用,因为我被拒绝访问
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>DE3DB1FF18B53997</RequestId><HostId>Iy+RnfkFKygJWkSTI0dXjssFsGFP2MydZZi/R5KBw5M8mZnfClt6HMOKJvAwy7sJgSx9BJQ3DbN=</HostId></Error>
我尝试使用AWS Node.js和Python SDK以及aws-cli获取xml文件。我一直收到相同的拒绝访问消息。
关于存储桶策略的AWS文档非常分散,并没有为我提供问题的解决方案。关于在政策中使用notPrincipal的文档很少。
ListBucket权限可以正常运行,这意味着问题特定于规则,而不是目标用户。
答案 0 :(得分:0)
您的上一个拒绝政策根本不会讨论主要用户1或用户2的请求应该发生什么(允许或拒绝)。当您以user1或user2发送s3请求时,存储桶策略将不会产生任何影响(因为它没有任何规则与主体user1或user2匹配给定操作和给定资源)。
The goal is to allow access to xml files in the bucket root to the selected users only
在这种情况下,您可以提及一条规则,明确允许这些用户访问您的xml文件。
{
"Sid": "Stmt1463490660089",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::012345678900:user/user1",
"arn:aws:iam::012345678900:user/user2"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/*.xml"
}