发表新帖
发表新帖

Access Denied upload to s3

前端 未结
关注
3 1771
渐次进展
渐次进展 2021-02-19 01:16

I tried uploading to s3 and when I see the logs from the s3 bucket logs this is what it says:

mybucket-me [17/Oct/2013:08:18:57 +0000] 120.28.112.39 
arn:aws:sts
相关标签:
3条回答
  • 有刺的猬
    2021-02-19 01:34

    To upload to S3 bucket, you need to Add/Create IAM/Group Policy, for example:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::test"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": ["arn:aws:s3:::test/*"]
    }
  ]
}

    Where arn:aws:s3:::test is your Amazon Resource Name (ARN).

    Source: Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket

    Related:

    • Specifying Resources in a Policy
    • How to provide a user to access only a particular bucket in AWS S3?
    0 讨论(0)
  • 慢半拍i
    2021-02-19 01:51

    You can attach the following policy to the bucket:

    {
    "Version": "2008-10-17",
    "Id": "Policy1358656005371",
    "Statement": [
        {
            "Sid": "Stmt1354655992561",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:sts::778671367984:federated-user/dean@player.com"                  
                ]
            },
            "Action": [
                "s3:List*",
                "s3:Get*"
            ],
            "Resource": [
                "arn:aws:s3:::my.bucket",
                "arn:aws:s3:::my.bucket/*"
            ]
        }
    ]
}

    to grant the federated user dean@player.com read-only permissions to 'my.bucket'.

    This policy is not very maintainable because it names this user in particular. To give access to only certain federated users in a more scalable way, it would be better to do this when you call GetFederationToken. If you post your STS code I can help you assigning the policy there, but it is very similar to the above.

    0 讨论(0)
  • 遇见更好的自我
    2021-02-19 01:54

    2019+

    You now either have to:

    • Set Block new public ACLs and uploading public objects to false if your items are public (top left policie in the picture)

    • Set acl: 'private' when uploading your image if your items are private

    Example in Node.js:

    const upload = multer({
    storage: multerS3({
        s3: s3,
        bucket: 'moodboard-img',
        acl: 'private',
        metadata: function (req, file, cb) {
            cb(null, {fieldName: file.fieldname});
        },
        key: function (req, file, cb) {
            cb(null, Date.now().toString())
        }
    })
})
    0 讨论(0)
 看不清?
提交回复
热议问题