问题描述
我想实现一个IAM策略,其中一个用户只能访问他有权过的文件夹。我得到这个code从亚马逊的文档
I am trying to implement an IAM policy where A user can only have access to the folder he is entitled too. I got this code from Amazon docs
允许用户仅列出了在他或她的主目录中的企业桶对象
Allow a user to list only the objects in his or her home directory in the corporate bucket
这个例子建立在$ P $ pvious例如,让鲍勃主目录。为了让鲍勃列表中的对象在自己的主目录的能力,他需要获得ListBucket。然而,我们想要的结果,包括在自己的主目录只对象,而不是一切都在斗。要限制他的访问的方式,我们使用名为S3的政策条件的关键:preFIX设置为主页/鲍勃/ 的值。这意味着,只有与preFIX家/鲍勃对象/ 的将在ListBucket响应中返回。
This example builds on the previous example that gives Bob a home directory. To give Bob the ability to list the objects in his home directory, he needs access to ListBucket. However, we want the results to include only objects in his home directory, and not everything in the bucket. To restrict his access that way, we use the policy condition key called s3:prefix with the value set to home/bob/. This means that only objects with a prefix home/bob/ will be returned in the ListBucket response.
{
"Statement":[{
"Effect":"Allow",
"Action":"s3:ListBucket",
"Resource":"arn:aws:s3:::my_corporate_bucket",
"Condition":{
"StringLike":{
"s3:prefix":"home/bob/*"
}
}]
}
这是不是为我工作。当我运行我的code,我能看到所有文件夹和子文件夹。我修改code看起来是这样的:
This is not working for me. When I run my code I am able to see all the folders and sub folders. My modified code looks something like this:
{
"Statement":[{
"Effect":"Allow",
"Action":"s3:ListBucket",
"Resource":"arn:aws:s3:::Test-test",
"Condition":{
"StringLike":{
"s3:prefix":"Test/*"
}
}]
}
当我运行我的code在C#中使用一个连接到上述政策,我得到的所有文件夹,而不是仅仅在测试一个用户的凭据...真的AP preciate一些帮助!
When I run my code in c# using the credentials of the user that is attached to the above policy I get all the folders and not just the one under "Test"...Would really appreciate some help!
推荐答案
我终于得到了它的工作。虽然我认为这是在AWS管理控制台中的错误或至少它看起来像之一。问题是我的政策是正确的一路上,但它的表现有所不同,当我通过AWS管理控制台,然后软件一样莓访问它。有一件事我不得不修改是为对象的ACL设置和buckets.That也将被做得比较早过AWS控制台工作正常。反正这是我的策略:
I finally got it working. Although I think there is a bug in AWS management console or atleast it seems like one. The problem is my policy was right all along the way but it behaved differently when I accessed it through AWS management console then softwares like CloudBErry. One thing I had to modify was ACL settings for objects and buckets.That too would have been done earlier had the AWS console worked properly. Anyways here is my policy:
{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": "arn:aws:s3:::pa-test",
"Condition": {
"StringLike": {
"s3:prefix": "test/*"
}
}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::pa-test/test/*",
"Condition": {}
}
]
}
1)现在的问题是,当我访问管理控制台通过AWS控制台此IAM用户我可以访问,当我点击我斗,虽然当我通过云莓登录我能看到我的文件夹被拒绝。2)我不得不改变我的桶和对象的ACL设置(文件夹)我斗:所有者:完全控制身份验证的用户:只读
1) The problem is when I access management console for this IAM user through AWS console I get access denied when I click on my bucket although when I log in through Cloudberry I can see my folders.2) I had to modify the ACL settings for my bucket and objects(folders)for my bucket:Owner : Full ControlAuthenticated Users : Readonly
有关我的文件夹:所有者:完全控制
For my folders:Owner : Full Control
现在的问题是,你不能设置ACL设置在AWS控制台文件夹(对象)。你可以将它们设置为文件(对象)。例如,如果你右击一个文件夹(对象)一个桶内,然后单击属性也不会告诉你一个权限选项卡。但是,如果你右键点击一个水桶或文件(说test.html的),然后单击属性,它会显示你的权限选项卡。我不知道是否有其他人注意到了这个问题。反正这是我的脚本,它现在的工作。
Now the issue is that you cannot set ACl settings for folders(object) in AWS console. You can set them for files(object). For example if you right click on a folder(object) inside a bucket and then click properties it won't show you a permission tabs. But if you right click on a bucket or a file(Say test.html) and click properties it will show you a permissions tab.I am not sure if someone else has noticed this issue. Anyways that is my script and it's working now.
这篇关于亚马逊S3创建IAM策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!