S3存储桶的基本AWSIAM权限-BasicAWSIAMpermissionsforanS3bucket

作者：手机用户2502885647_951 | 来源：互联网 | 2023-07-28 14:39

ImtryingtofigureoutabasicpermissionsetforanIAMuserkeytohavetohaveaccesstoonlya

I'm trying to figure out a basic permission set for an IAM user/key to have to have access to only a single bucket in S3 - only read/write access on an individual bucket.

我试图弄清楚IAM用户/密钥的基本权限集必须只能访问S3中的单个存储桶 - 只对单个存储桶进行读/写访问。

What set of permissions is the minimum required to make this work? I have all options selected in the IAM policy generator for S3, all permissions enabled on the bucket except CreateBucket and DeleteBucket. I've also created a set of keys specific to this user.

使这项工作所需的最低权限是什么？我在S3的IAM策略生成器中选择了所有选项，除了CreateBucket和DeleteBucket之外，在桶上启用了所有权限。我还创建了一组特定于此用户的密钥。

When I try to access the bucket with these credentials, I get a problem listing buckets, even though the ListAllMyBuckets property is enabled.

当我尝试使用这些凭据访问存储桶时，即使启用了ListAllMyBuckets属性，我也会遇到列出存储桶的问题。

Anyone have any experience setting up a basic bucket config like this? Seems like it would be pretty common...

有没有经验设置这样的基本桶配置？好像很常见......

2 个解决方案

#1

The Example Policies for Amazon S3 cover various use cases similar or related to yours - specifically you might probably want to combine Example 1: Allow each user to have a home directory in Amazon S3 with Example 2: Allow a user to list only the objects in his or her home directory in the corporate bucket - you'd just need to adjust the Resource to target your buckets root directory instead, i.e. replace /home/bob/*with *.

Amazon S3的示例策略涵盖了与您类似或相关的各种用例 - 特别是您可能希望将示例1：允许每个用户在Amazon S3中使用示例2：允许用户仅列出对象中的主目录他或她在公司存储桶中的主目录 - 您只需要调整资源来定位您的存储桶根目录，即将/ home / bob / *替换为*。

Please note that Example 2 facilitates ListBucket, which is an operation on a bucket that returns information about some of the items in the bucket, whereas ListAllMyBuckets is an operation on the service that returns a list of all buckets owned by the sender of the request, so likely not applicable to your use case (see my comment regarding clarification of the latter).

请注意，示例2有助于ListBucket，它是一个桶上的操作，返回桶中某些项的信息，而ListAllMyBuckets是对服务的操作，返回请求发送方拥有的所有桶的列表，很可能不适用于您的用例（请参阅我对后者的澄清的评论）。

#2

This will permit to list all buckets assuming you are not denying it somewhere else (I am 99% sure deny statements are evaluated first; order does not matter with IAM policies):

这将允许列出所有桶，假设您没有在其他地方拒绝它（我99％肯定拒绝语句首先被评估;顺序与IAM策略无关）：

    {
        "Effect": "Allow",
        "Action": [
            "s3:ListAllMyBuckets"
        ],
        "Resource": "*"
    }

Permit whatever you want for your buckets (Don't forget the /* also):

允许任何你想要的桶（不要忘记/ *）：

    {
        "Effect": "Allow",
        "Action": [
            "s3:"
        ],
        "Resource": [
            "arn:aws:s3:::",
            "arn:aws:s3:::/*"
        ]
    }