问题
I have an s3 bucket policy like this which denies requests if the referer is not listed under
{
"Sid": "6",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket_name/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"http://example1.com/*",
"http://example2.com/*",
"https://*amazon.com*/*"
]
}
}
}
note i tried https://*amazon.com*/*, https://*aws.amazon.com* ,https://*amazon.com*,http://*amazon.com*
my problem is that I am not able to get elastic trasncoders(one of the aws service) referer when it tries to fetch the object and thus the job gives an error like this "You do not have the permissions required to read the specified object from the specified bucket". Note everything works fine if I remove the policy. So my question is that what should I put elastic trancoders referer as?. I tried couple of combinations and searched here and there but all in vain.Please do let me know if you think that there is a better way to this.
- update:
Also is there is way that i can filter some denied request by bucket policy , for example in above case can i allow a request which is not from above domains but with a particular ip address. from the amazon docs here i saw that first they check for explicit deny and then those deny requests aren't checked is there a way around this?. Any kind of help will be highly appreciated. thanks for your time
回答1:
Rather than creating a Bucket Policy that permits access for Amazon Elastic Transcoder, permissions are granted via the service role used by the Transcoder service.
As long as the service role has permissions to access your files in S3, there should be no need to grant it via the Bucket Policy. (Although I am unsure what would happen if you have an active DENY in the bucket policy.)
See: Service Roles for Elastic Transcoder Pipelines
来源:https://stackoverflow.com/questions/33757024/s3-bucket-policy-access-conditions