S3存储桶策略,用于拒绝访问除IAM角色和InstanceProfile以外的所有内容

时间:2019-05-12 06:34:45

标签: apache-spark amazon-s3 amazon-iam amazon-emr

我有一个EMR群集,其中涉及在S3存储桶上写入和删除对象的步骤。我一直在尝试在S3存储桶中创建一个存储桶策略,该策略拒绝删除对除EMR角色和实例配置文件之外的所有主体的访问。以下是我的政策。

{
    "Version": "2008-10-17",
    "Id": "ExamplePolicyId123458",
    "Statement": [
        {
            "Sid": "ExampleStmtSid12345678",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "s3:DeleteBucket",
                "s3:DeleteObject*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "AROAI3FK4OGNWXLHB7IXM:*", #EMR Role Id
                        "AROAISVF3UYNPH33RYIZ6:*", # Instance Profile Role ID
                        "AIPAIDBGE7J475ON6BAEU" # Instance Profile ID
                    ]
                }
            }
        }
    ]
}

正如我在某处发现的那样,不可能在“ NotPrincipal”部分中使用通配符条目来指定每个角色会话,因此我使用了 aws:userId 的条件进行匹配。

只要我在没有存储桶策略的情况下运行EMR步骤,该步骤就会成功完成。但是,当我将策略添加到存储桶并重新运行时,该步骤失败并显示以下错误。

diagnostics: User class threw exception:
org.apache.hadoop.fs.s3a.AWSS3IOException: delete on s3://vr-dump/metadata/test:
com.amazonaws.services.s3.model.MultiObjectDeleteException: One or more objects could not be deleted 
(Service: null; Status Code: 200; Error Code: null; Request ID: 9FC4797479021CEE; S3 Extended Request ID: QWit1wER1s70BJb90H/0zLu4yW5oI5M4Je5aK8STjCYkkhZNVWDAyUlS4uHW5uXYIdWo27nHTak=), S3 Extended Request ID: QWit1wER1s70BJb90H/0zLu4yW5oI5M4Je5aK8STjCYkkhZNVWDAyUlS4uHW5uXYIdWo27nHTak=: One or more objects could not be deleted (Service: null; Status Code: 200; Error Code: null; Request ID: 9FC4797479021CEE; S3 Extended Request ID: QWit1wER1s70BJb90H/0zLu4yW5oI5M4Je5aK8STjCYkkhZNVWDAyUlS4uHW5uXYIdWo27nHTak=)

这是什么问题?这与EMR Spark配置或存储桶策略有关吗?

1 个答案:

答案 0 :(得分:1)

假设这些角色ID是正确的(它们以AROA开头,因此它们具有有效的格式),我相信您还需要该策略上的AWS帐号。例如:

{
"Version": "2008-10-17",
"Id": "ExamplePolicyId123458",
"Statement": [
    {
        "Sid": "ExampleStmtSid12345678",
        "Effect": "Deny",
        "Principal": "*",
        "Action": [
            "s3:DeleteBucket",
            "s3:DeleteObject*"
        ],
        "Resource": [
            "arn:aws:s3:::vr-dump",
            "arn:aws:s3:::vr-dump/*"
        ],
        "Condition": {
            "StringNotLike": {
                "aws:userId": [
                    "AROAI3FK4OGNWXLHB7IXM:*", #EMR Role Id
                    "AROAISVF3UYNPH33RYIZ6:*", # Instance Profile Role ID
                    "AIPAIDBGE7J475ON6BAEU", # Instance Profile ID
                    "1234567890" # Your AWS Account Number
                ]
            }
        }
    }
]

}

相关问题
最新问题