AWS S3 ListMultipartUploads:拒绝访问
问题描述:
我已经关注了this blog,以便使用Web Identity Federation设置我的AWS IAM和S3帐户。我能够验证和接收会话证书和令牌都没问题。我也可以下载和上传对象。但是,我得到:AWS S3 ListMultipartUploads:拒绝访问
以下ListMultipartUploads要求拒绝访问
:
var request = new ListMultipartUploadsRequest()
{
BucketName = bucketName,
Prefix = $"{UserId}/"
};
var response = await s3Client.ListMultipartUploadsAsync(request);
连接到我的IAM角色的接入策略为:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::mybucket/${myidentityprovider:userId}/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::mybucket"
],
"Condition": {
"StringLike": {
"s3:prefix": "${myidentityprovider:userId}/"
}
}
}
]
}
正如你所看到的,我有权限“s3:ListBucketMultipartUploads”,所以用户应该能够在他们的桶上执行ListMultiPartUploads。我究竟做错了什么?
答
我看到你的前缀语句中的错误,
它必须是一个数组,
“S3:前缀”: “$ {myidentityprovider:用户id}/*”]
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::mybucket/${myidentityprovider:userId}/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::mybucket"
],
"Condition": {
"StringLike": {
"s3:prefix": ["${myidentityprovider:userId}/*"]
}
}
}
]}
+0
这也不起作用 – tura08
也许尝试没有结尾斜杠的前缀? (基于阅读[允许用户根据特定前缀获取存储桶中的对象列表](http://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys。 html#condition-key-bucket-ops-2)) –
我尝试了它,但没有使用前缀斜杠,但仍然返回访问被拒绝。 – tura08
如果删除前缀条件,它能正常工作吗? –