我创建了一个策略,该策略允许访问帐户中的单个S3存储桶。然后,我创建了一个仅包含此策略的组,并且该组中包含一个用户。
用户可以按预期查看,删除文件并将其上传到存储桶。但是,用户似乎无法授予公众对上载文件的读取访问权限。
选择授予对此对象的公共读取权限选项时,上传将失败。
该存储桶托管着一个静态网站,我想允许前端开发人员上传文件并将其公开。
用户角色的策略如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
This is what happens when the IAM user tries to grant public access to the uploaded file:
The proxy error seems unrelated, but essentially the upload is stuck and nothing happens. If they don't select the Grant public access option, the upload goes through immediately (despite the proxy error showing up as well).
To reproduce your situation, I did the following:
At this point, the user received an Access Denied
error because they were not permitted to list all Amazon S3 buckets. Thus, the console was not usable.
Instead, I ran this AWS CLI command:
aws s3 cp foo.txt s3://new-bucket/ --acl public-read
The result was:
An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
However, the operation succeeded with:
aws s3 cp foo.txt s3://new-bucket/
This means that the --acl
is the component that was denied.
I then went to Block Public Access for the bucket and turned OFF the option called "Block public access to buckets and objects granted through new access control lists (ACLs)". My settings were:
I then ran this command again:
aws s3 cp foo.txt s3://new-bucket/ --acl public-read
It worked!
为了验证这一点,我回到了阻止公共访问并打开了所有选项(通过顶部的复选框)。我重新运行了该命令,它再次被拒绝访问,确认原因是“阻止公共访问”设置。
底线:关闭第一个“阻止公共访问”设置。
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句