Question

我正在尝试将AWS的S3用作异地备份解。特别是我正在与 s3ql创建云文件系统并安装它。为此，我创建了一个IAM策略，该策略应允许持有人创建和使用适当的存储桶。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::job/*",
                "arn:aws:s3:::<bucket>/<object>",
                "arn:aws:s3:::<bucket>"
            ]
        }
    ]
}

这个想法是从所有s3特权开始，然后从那里。但是，这还不够。首先我得到警告 AWS关于权限本身。所有人中的第二个获得访问权限来自mkfs.s3ql

的邮件被拒绝

$ mkfs.s3ql s3://<region>/<bucket>/<directory>/test
Before using S3QL, make sure to read the user's guide, especially
the 'Important Rules to Avoid Losing Data' section.
Enter encryption password: 
Confirm encryption password: 
Generating random encryption key...
ERROR: Uncaught top-level exception:
Traceback (most recent call last):
  File "/home/core/.local/bin/mkfs.s3ql", line 11, in <module>
    load_entry_point('s3ql==3.1', 'console_scripts', 'mkfs.s3ql')()
  File "/home/core/.local/lib/python3.6/site-packages/s3ql-3.1-py3.6-linux-x86_64.egg/s3ql/mkfs.py", line 123, in main
    backend['s3ql_passphrase'] = data_pw
  File "/home/core/.local/lib/python3.6/site-packages/s3ql-3.1-py3.6-linux-x86_64.egg/s3ql/backends/common.py", line 197, in __setitem__
    self.store(key, value)
  File "/home/core/.local/lib/python3.6/site-packages/s3ql-3.1-py3.6-linux-x86_64.egg/s3ql/backends/common.py", line 307, in store
    self.perform_write(lambda fh: fh.write(val), key, metadata)
  File "/home/core/.local/lib/python3.6/site-packages/s3ql-3.1-py3.6-linux-x86_64.egg/s3ql/backends/common.py", line 108, in wrapped
    return method(*a, **kw)
  File "/home/core/.local/lib/python3.6/site-packages/s3ql-3.1-py3.6-linux-x86_64.egg/s3ql/backends/common.py", line 279, in perform_write
    return fn(fh)
  File "/home/core/.local/lib/python3.6/site-packages/s3ql-3.1-py3.6-linux-x86_64.egg/s3ql/backends/comprenc.py", line 389, in __exit__
    self.close()
  File "/home/core/.local/lib/python3.6/site-packages/s3ql-3.1-py3.6-linux-x86_64.egg/s3ql/backends/comprenc.py", line 383, in close
    self.fh.close()
  File "/home/core/.local/lib/python3.6/site-packages/s3ql-3.1-py3.6-linux-x86_64.egg/s3ql/backends/comprenc.py", line 548, in close
    self.fh.close()
  File "/home/core/.local/lib/python3.6/site-packages/s3ql-3.1-py3.6-linux-x86_64.egg/s3ql/backends/common.py", line 108, in wrapped
    return method(*a, **kw)
  File "/home/core/.local/lib/python3.6/site-packages/s3ql-3.1-py3.6-linux-x86_64.egg/s3ql/backends/s3c.py", line 909, in close
    headers=self.headers, body=self.fh)
  File "/home/core/.local/lib/python3.6/site-packages/s3ql-3.1-py3.6-linux-x86_64.egg/s3ql/backends/s3c.py", line 528, in _do_request
    self._parse_error_response(resp)
  File "/home/core/.local/lib/python3.6/site-packages/s3ql-3.1-py3.6-linux-x86_64.egg/s3ql/backends/s3c.py", line 561, in _parse_error_response
    raise get_S3Error(tree.findtext('Code'), tree.findtext('Message'), resp.headers)
s3ql.backends.s3c.AccessDeniedError: AccessDenied: Access Denied

但是，如果我使用我的超级用户帐户执行操作，则文件系统已成功创建。

$ mkfs.s3ql s3://<region>/<bucket>/<directory>/test --authfile=super_auth
Before using S3QL, make sure to read the user's guide, especially
the 'Important Rules to Avoid Losing Data' section.
Enter encryption password: 
Confirm encryption password: 
Generating random encryption key...
Creating metadata tables...
Dumping metadata...
Dumping metadata...
..objects..
..blocks..
..inodes..
..inode_blocks..
..symlink_targets..
..names..
..contents..
..ext_attributes..
Compressing and uploading metadata...
Wrote 155 bytes of compressed metadata.
Cycling metadata backups...
Backing up old metadata...
Please store the following master key in a safe location. It allows 
decryption of the S3QL file system in case the storage objects holding 
this information get corrupted:
---BEGIN MASTER KEY---
**** **** **** **** **** **** **** **** **** **** ****
---END MASTER KEY---

显然，我宁愿不分配超级用户权限来备份脚本。有没有一种方法可以确定对哪些权限进行了调用给定操作过程中需要哪些资源？通常感觉就像这是确定最低要求的好方法特权是。

AWS s3上s3ql所需的最低特权

0 个答案: