组织需要什么权限才能通过travisci发布到s3
我正在将所有我的站点从我的服务器移到s3上。我已经将他们从动态网站转移到静态,因此运行服务器不再是运营所必需的。组织需要什么权限才能通过travisci发布到s3
最后一个网站是我的博客,它运行jekyll,我宁愿不必在本地构建发布新内容。我不想把它留给github页面,因为我不想锁定到jekyll。
所有这一切说,我试图将生成过程从我的jenkins服务器移到travis ci上。从文档中,我认为我给了该组正确的权限,但我没有得到它的工作,没有授予组/用户"s3:*"。
这是我目前的IAM组权限策略:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:PutObjectVersion", "s3:GetObjectVersion", "s3:DeleteObjectVersion", "s3:ListMultipartUploadParts", "s3:ListMultipartUpload", "s3:RestoreObject", "s3:GetObjectVersionTorrent", "s3:GetObjectTorrent", "s3:PutObjectVersionTagging", "s3:PutObjectTagging", "s3:GetObjectVersionTagging", "s3:GetObjectTagging", "s3:DeleteObjectTagging", "s3:DeleteObjectVersionTagging" ], "Resource": [ "arn:aws:s3:::travis-s3-pub-test/*" ] } ] }
认为应根据AWS文档是唯一需要的权限是:
```
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
```
但那并不是我RK。
我从系统管理员的帮助下找到了答案,我在哪里工作,jfronza。
我错过了acl部分政策。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectTorrent", "s3:GetObjectVersion", "s3:GetObjectVersionAcl", "s3:GetObjectVersionTorrent", "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectVersionAcl", "s3:RestoreObject" ], "Resource": [ "arn:aws:s3:::travis-s3-pub-test/", "arn:aws:s3:::travis-s3-pub-test/*" ] }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": [ "arn:aws:s3:::*" ] } ] }
的ACL部分是文件权限发生,自从被上传的文件必须是公开的,他们需要这个权限。
虽然Amazon docs on s3 policies在这是非常糟糕的,travisCI docs on working with s3是很好,并告诉我如果我看到他们之前,我发布了这一点。