Amazon s3 使用bucket级别权限调用PutObject操作时访问被拒绝
我按照上面的示例介绍了如何授予用户仅访问一个bucket的权限 然后,我使用W3 Total Cache Wordpress插件测试了配置。测试失败了 我还尝试使用Amazon s3 使用bucket级别权限调用PutObject操作时访问被拒绝,amazon-s3,Amazon S3,我按照上面的示例介绍了如何授予用户仅访问一个bucket的权限 然后,我使用W3 Total Cache Wordpress插件测试了配置。测试失败了 我还尝试使用 aws s3 cp --acl=public-read --cache-control='max-age=604800, public' ./test.txt s3://my-bucket/ 而这一切都以失败告终 upload failed: ./test.txt to s3://my-bucket/test.txt A clie
aws s3 cp --acl=public-read --cache-control='max-age=604800, public' ./test.txt s3://my-bucket/
而这一切都以失败告终
upload failed: ./test.txt to s3://my-bucket/test.txt A client error (AccessDenied) occurred when calling the PutObject operation: Access Denied
为什么我不能上传到我的bucket?回答我自己的问题: 示例策略授予PutObject访问权限,但我还必须授予PutObjectAcl访问权限 我得换衣服
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
从示例到:
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
您还需要通过取消勾选以下两个框,确保为客户端配置了bucket以设置公共可访问的ACL:
我也有类似的问题。我没有使用ACL的东西,所以我不需要
s3:PutObjectAcl
就我而言,我正在做(以YML为单位):
而不是:
- Effect: Allow
Action:
- s3:PutObject
Resource: "arn:aws:s3:::MyBucketName/*"
这将在存储桶ARN的末尾添加一个/*
希望这有帮助。我犯了一个错误,收到了相同的错误消息: 确保使用正确的S3URI,例如:
s3://my bucket name/
(如果我的bucket名称位于aws s3的根)
我坚持这样做,因为当从浏览器复制粘贴s3存储桶时,会得到类似https://s3.console.aws.amazon.com/s3/buckets/my-bucket-name/?region=my-aws区域选项卡=概述
因此,我错误地使用了s3://bucket/my bucket name
,这会引发:
调用PutObject操作时发生错误(AccessDenied):拒绝访问
如果这有助于其他人,在我的情况下,我使用的是CMK(使用默认aws/s3键工作正常)
我必须进入IAM中的加密密钥定义,并将登录boto3的编程用户添加到用户列表中,“可以使用此密钥在应用程序内部以及使用与KMS集成的AWS服务时加密和解密数据。”我在上传到受KWS加密保护的S3存储桶时遇到类似问题。 我有一个最小的策略,允许在特定的s3键下添加对象 我需要将以下KMS权限添加到策略中,以允许角色将对象放入bucket中。(可能略高于严格要求)
{
“版本”:“2012-10-17”,
“声明”:[
{
“Sid”:“VisualEditor0”,
“效果”:“允许”,
“行动”:[
“kms:ListKeys”,
“kms:生成域”,
“kms:列表别名”,
“s3:PutAccountPublicAccessBlock”,
“s3:GetAccountPublicAccessBlock”,
“s3:ListAllMyBucket”,
“s3:前斗”
],
“资源”:“*”
},
{
“Sid”:“VisualEditor1”,
“效果”:“允许”,
“行动”:[
“kms:ImportKeyMaterial”,
“kms:ListKeyPolicys”,
“kms:ListRetirableGrants”,
“kms:GetKeyPolicy”,
“kms:GeneratedTakeyWithOutplainText”,
“kms:ListResourceTags”,
“kms:重新加密自”,
“kms:ListGrants”,
“kms:GetParametersForImport”,
“kms:TagResource”,
“kms:加密”,
“kms:GetKeyRotationStatus”,
“kms:GenerateDakey”,
“kms:Reencrypto”,
“kms:DescribeKey”
],
“资源”:“arn:aws:kms:::key/”
},
{
“Sid”:“VisualEditor2”,
“效果”:“允许”,
“行动”:[
],
“资源”:[
“arn:aws:s3::”,
“arn:aws:s3::/*”
]
}
]
}
我只是想让S3上传到大文件中去。最初我的错误是:
An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied
An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied
然后我尝试复制一个较小的文件,得到:
An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
我可以很好地列出对象,但我不能做任何其他事情,即使我的角色策略中有s3::
权限。我最终将政策修改为:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "*"
}
]
}
现在我可以上传任何文件了。将
my bucket
替换为您的bucket名称。我希望这能帮助其他人解决这个问题。对我来说,我使用的是过期的身份验证密钥。生成了新的密钥和boom。如果您已为S3加密指定了自己的客户管理KMS密钥,则还需要提供标志--服务器端加密aws:KMS
,例如:
aws s3api放置对象--bucket bucket--key objectKey--body/path/to/file--服务器端加密aws:kms
如果未添加标志
--服务器端加密aws:kms
,cli将显示AccessDenied
错误如果已为bucket设置了公共访问,并且它仍然不工作,请编辑bucket策略并粘贴以下内容:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::yourbucketnamehere",
"arn:aws:s3:::yourbucketnamehere/*"
],
"Effect": "Allow",
"Principal": "*"
}
]
}
类似于上面的一篇文章(除了我使用管理员凭证)让S3上传来处理大文件 最初我的错误是:
An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied
An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied
我将multipart_阈值切换到50米以上
aws configure set default.s3.multipart_threshold 64MB
我得到:
An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
我检查了bucket公共访问设置,所有设置都被允许。
所以我发现:
通过从策略中授予Lambda完整的s3访问权限,我能够解决这个问题。为Lambda创建一个新角色,并附加具有完整S3访问权限的策略
希望这会有所帮助。我遇到了同样的问题。我的桶是私有的,有KMS加密。我可以通过在角色中添加额外的KMS权限来解决此问题。下面的列表是所需角色的最小集合
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAttachmentBucketWrite",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"kms:Decrypt",
"s3:AbortMultipartUpload",
"kms:Encrypt",
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:s3:::bucket-name/*",
"arn:aws:kms:kms-key-arn"
]
}
]
}
引用:错误:调用PutObject操作时发生错误(AccessDenied):拒绝访问 我通过传递额外的Args参数解决了这个问题,因为公司策略禁用了PutObjectAcl s3_client.upload_文件('./local_file.csv',bucket name',path',Ex
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
data "aws_iam_policy" "AmazonSESFullAccess" {
arn = "arn:aws:iam::aws:policy/AmazonSESFullAccess"
}
resource "aws_iam_role_policy_attachment" "ecs_ses_access" {
role = aws_iam_role.app_iam_role.name
policy_arn = data.aws_iam_policy.AmazonSESFullAccess.arn
}