我正在尝试将构建文件从Jenkins上传到S3 Bucket。我只希望Cloudfront和用户deployer
有权访问存储桶,策略如下:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::samplebucket/*"
},
{
"Sid": "2",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:user/deployer"
]
},
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::samplebucket",
"arn:aws:s3:::samplebucket/*"
]
}
]
}
此政策不允许deployer
将对象上载到S3。而如果我将存储桶设置为公开访问,则可以从Jenkins成功上传对象。我不希望我的水桶公开。
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句