问题
I have a user foo with the following privileges (it's not a member of any group):
{
"Statement": [
{
"Sid": "Stmt1308813201865",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bar"
}
]
}
That user however seem unable to upload or do much of anything until I grant full access to authenticated users (which might apply to anyone). This still doesn't let the user change permission as boto is throwing an error after an upload when it tries to do do key.set_acl('public-read').
Ideally this user would have full access to the bar bucket and nothing else, what am I doing wrong?
回答1:
You need to grant s3:ListBucket permission to the bucket itself. Try the policy below.
{
"Statement": [
{
"Effect": "Allow",
"Action": "S3:*",
"Resource": "arn:aws:s3:::bar/*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bar",
"Condition": {}
}
]
}
回答2:
The selected answer didn't work for me, but this one did:
{
"Statement": [
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
],
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
}
Credit: http://mikeferrier.com/2011/10/27/granting-access-to-a-single-s3-bucket-using-amazon-iam/
回答3:
Are you aware of the AWS Policy Generator?
回答4:
There is an official AWS documentation at Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket
Just copy and paste the appropriate rule and change the "Resource" key to your bucket's ARN in all Statements.
For programamtic access the policy should be:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::bar"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::bar/*"]
}
]
}
And for console access access should be:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::bar*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::bar"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::bar/*"]
}
]
}
回答5:
That works for me:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Resource": "arn:aws:s3:::bucket_name_here"
},
{
"Effect": "Allow",
"Action": [
"s3:*Object*",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
],
"Resource": "arn:aws:s3:::bucket_name_here/*"
}
]
}
回答6:
If you've been pulling your hair out because you cannot figure out why Cyberduck is not being able to set object ACLs but it works with another client (like Panic Transmit) here is the solution:
You need to add s3:GetBucketAcl to your Action list, eg:
{
"Statement": [
{
"Sid": "Stmt1",
"Action": [
"s3:GetBucketAcl",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::your-bucket-name"
}
]
}
Of course you don't need to do this if you are less restrictive with s3:* but I think this is good to know.
回答7:
@cloudberryman's answer is correct but I like to make things as short as possible. This answer can be reduced to:
{
"Statement":[
{
"Effect":"Allow",
"Action":"S3:*",
"Resource":[
"arn:aws:s3:::bar",
"arn:aws:s3:::bar/*"
]
}
]
}
回答8:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::YOUR-BUCKET",
"arn:aws:s3:::YOUR-BUCKET/*"
]
}
]
}
回答9:
Allow bucket inner folders by mentioning like below in resource, Also you should give list permission to all buckets. Check out below sample policy,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::example-bucket",
"arn:aws:s3:::example-bucket/*"
]
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
}
To know more details about this find this article.
来源:https://stackoverflow.com/questions/8203598/i-need-an-amazon-s3-user-with-full-access-to-a-single-bucket