1. 技术文章
  2. IAM user policy returning 403 Forbidden on Amazon S3 bucket

IAM user policy returning 403 Forbidden on Amazon S3 bucket

若如初见. 提交于 2019-12-07 11:41:52

问题


I am struggling to get a AWS S3 IAM user policy to work, this is my current IAM user's policy: 

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "Stmt1424859689000",
        "Effect": "Allow",
        "Action": [
          "s3:DeleteObject",
          "s3:GetObject",
          "s3:PutObject"
        ],
        "Resource": [
          "arn:aws:s3:::vault-us/*"
        ]
      }
    ]
  }

When I do a post to create a new object in my S3 bucket I get a 403 Forbidden error but when I use the Managed Policy called 'AmazonS3FullAccess' then everything works just fine.

What I am trying to do is restrict certain IAM users to upload/downloads rights but am struggling to get this working.

Any suggestions would be appreciated!


回答1:


I managed to figure out that in order for upload to work I needed to include the action "s3:PutObjectAcl" here is the example of my IAM policy below:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:GetBucketLocation",
                    "s3:ListAllMyBuckets"
                ],
                "Resource": "arn:aws:s3:::*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "s3:ListBucket"
                ],
                "Resource": [
                    "arn:aws:s3:::vault-us"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "s3:PutObject",
                    "s3:PutObjectAcl"
                ],
                "Resource": [
                    "arn:aws:s3:::vault-us/*"
                ]
            }
        ]
    }



回答2:


First thing you can do is figure out if its the actions that's wrong or the resource scope, can you these two policies one at a time:

    "Action": [
      "s3:*"
    ],
    "Resource": [
      "arn:aws:s3:::vault-us/*"
    ]

and 

    "Action": [
      "s3:DeleteObject",
      "s3:GetObject",
      "s3:PutObject"
    ],
    "Resource": [
      "*"
    ]

If the first one works and the second fails, you don't have enough permissions to do your operation, e.g. try adding listBucket or similar (I tend to add all likely ones and gradually remove them until it breaks).

If the first one breaks and the second one works then your resource declaration is wrong, the most common fix I've found is to try adding:

    "Action": [
      "s3:DeleteObject",
      "s3:GetObject",
      "s3:PutObject"
    ],
    "Resource": [
      "arn:aws:s3:::vault-us/*",
      "arn:aws:s3:::vault-us"
    ]

If the both fail then chances are both your action and your resource is wrong.

Good Luck



来源:https://stackoverflow.com/questions/28717593/iam-user-policy-returning-403-forbidden-on-amazon-s3-bucket

标签
amazon-web-services
amazon-s3
amazon-iam
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!