How can I make a S3 bucket public (the amazon example policy doesn't work)?

后端 未结 8 489
庸人自扰
庸人自扰 2020-12-28 16:38

Amazon provides an example for Granting Permission to an Anonymous User as follows (see Example Cases for Amazon S3 Bucket Policies):

{
    \"Versio         


        
相关标签:
8条回答
  • 2020-12-28 16:58

    If you're having this problem with Zencoder uploads, checkout this page: https://app.zencoder.com/docs/api/encoding/s3-settings/public

    0 讨论(0)
  • 2020-12-28 17:04

    I wasted hours on this, the root cause was stupid, and the solutions mentioned here didn't help (I tried them all), and the AWS s3 permissions docs didn't emphasize this point.

    If you have Requester Pays setting ON, you cannot enable Anonymous access (either by bucket policy or ACL 'Everyone'). You can sure write the policies and ACL and apply them and even use the console to explicitly set a file to public, but a non signed url will still get a 403 access denied 100% of the time on that file, until you uncheck requester pays setting in the console for the entire bucket (properties tab when bucket is selected). Or, I assume, via some API REST call.

    Unchecked Requester Pays and now anonymous access is working, with referrer restrictions, ect. In fairness, the AWS console does tell us:

    While Requester Pays is enabled, anonymous access to this bucket is disabled.

    0 讨论(0)
  • 2020-12-28 17:04

    The issue is with your Action it should be in array format

    Try this:

    {
      "Version":"2012-10-17",
      "Statement":[
        {
          "Sid":"AddPerm",
          "Effect":"Allow",
          "Principal": "*",
          "Action":["s3:GetObject"],
          "Resource":["arn:aws:s3:::examplebucket/*"]
        }
      ]
    }
    

    Pass your Bucket name in 'Resource'

    0 讨论(0)
  • 2020-12-28 17:05

    This works.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "PublicRead",
                "Effect": "Allow",
                "Principal": "*",
                "Action": [
                    "s3:GetObject",
                    "s3:GetObjectVersion"
                ],
                "Resource": "arn:aws:s3:::example-bucket/*"
            }
        ]
    }
    
    0 讨论(0)
  • 2020-12-28 17:06

    I know it is an old question but I would like to add information that may still be relevant today.

    I believe that this bucket should be a static site. Because of this, you must use a specific URL for your rules to be accepted. To do this, you must add a "website" to your URL. Otherwise, it will treat it just like an object repository.

    Example:

    With the problem pointed out: https://name-your-bucket.sa-east-1.amazonaws.com/home

    Without the problem pointed out: http://name-your-bucket.s3-website-sa-east-1.amazonaws.com/home

    Hope this helps :)

    0 讨论(0)
  • 2020-12-28 17:09

    Update

    As per GoodGets' comment, the real issue has been that bucket policies to do not apply to objects "owned" by someone else, even though they are in your bucket, see GoodGets' own answer for details (+1).


    Is this a new bucket/object setup or are you trying to add a bucket policy to a pre-existing setup?

    In the latter case you might have stumbled over a related pitfall due to the interaction between the meanwhile three different S3 access control mechanisms available, which can be rather confusing indeed. This is addressed e.g. in Using ACLs and Bucket Policies Together:

    When you have ACLs and bucket policies assigned to buckets, Amazon S3 evaluates the existing Amazon S3 ACLs as well as the bucket policy when determining an account’s access permissions to an Amazon S3 resource. If an account has access to resources that an ACL or policy specifies, they are able to access the requested resource.

    While this sounds easy enough, unintentional interferences may result from the subtle different defaults between ACLs an policies:

    With existing Amazon S3 ACLs, a grant always provides access to a bucket or object. When using policies, a deny always overrides a grant. [emphasis mine]

    This explains why adding an ACL grant always guarantees access, however, this does not apply to adding a policy grant, because an explicit policy deny provided elsewhere in your setup would still be enforced, as further illustrated in e.g. IAM and Bucket Policies Together and Evaluation Logic.

    Consequently I recommend to start with a fresh bucket/object setup to test the desired configuration before applying it to a production scenario (which might still interfere of course, but identifying/debugging the difference will be easier in case).

    Good luck!

    0 讨论(0)
提交回复
热议问题