Amazon web services AWS S3 CloudFormation只读权限_Amazon Web Services_Amazon S3_Aws Lambda_Amazon Cloudformation

Amazon web services AWS S3 CloudFormation只读权限

amazon-web-services amazon-s3 aws-lambda amazon-cloudformation

Amazon web services AWS S3 CloudFormation只读权限,amazon-web-services,amazon-s3,aws-lambda,amazon-cloudformation,Amazon Web Services,Amazon S3,Aws Lambda,Amazon Cloudformation,我正在尝试创建两个用户并向s3存储桶授予user1只读权限，我还需要授予user2读写权限。以下是我迄今为止所做的工作 AWSTemplateFormatVersion: "2010-09-09" Resources: s3Bucket: Type: AWS::S3::Bucket Properties: AccessControl: Private User1: Type: AWS::IAM::User User2: Type:

我正在尝试创建两个用户并向s3存储桶授予user1只读权限，我还需要授予user2读写权限。以下是我迄今为止所做的工作

AWSTemplateFormatVersion: "2010-09-09"


Resources:
  s3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: Private

  User1:
    Type: AWS::IAM::User

  User2:
    Type: AWS::IAM::User

  User1Key:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName: !Ref 'User1'

  User2Key:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName: !Ref 'User2'
Outputs:
  AccessKey:
    Value: !Ref 'User1Key'
    Description: AWSAccessKeyId of User 1
  SecretKey:
    Value: !GetAtt [User1Key, SecretAccessKey]
    Description: AWSSecretAccessKey of User 1
  AccessKey2:
    Value: !Ref 'User2Key'
    Description: AWSAccessKeyId of User 2
  SecretKey2:
    Value: !GetAtt [User2Key, SecretAccessKey]
    Description: AWSSecretAccessKey of User 2

我不知道如何实现这个

方法之一是使用IAM策略来实现同样的目标

看看下面的代码。我们正在创建两个策略，一个用于读取，一个用于写入。一个用户同时被分配读策略和写策略，另一个用户只被分配读策略

AWSTemplateFormatVersion: "2010-09-09"

Resources:
  s3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: Private

  S3ReadPolicy:
    Type: "AWS::IAM::Policy"
    Properties:
      PolicyName: "S3ReadPolicy"
      PolicyDocument:
        Statement:
          - Action: s3:GetObject
            Effect: Allow
            Resource: !Sub "arn:aws:s3:::${s3Bucket}/*"
          - Action: s3:ListBucket
            Effect: Allow
            Resource: !Sub "arn:aws:s3:::${s3Bucket}"
      Users:
        - Ref: User1
        - Ref: User2

  S3WritePolicy:
    Type: "AWS::IAM::Policy"
    Properties:
      PolicyName: "S3WritePolicy"
      PolicyDocument:
        Statement:
          - Action: s3:PutObject
            Effect: Allow
            Resource: !Sub "arn:aws:s3:::${s3Bucket}/*"
      Users:
        - Ref: User2        

  User1:
    Type: AWS::IAM::User

  User2:
    Type: AWS::IAM::User

  User1Key:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName: !Ref "User1"

  User2Key:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName: !Ref "User2"
Outputs:
  AccessKey:
    Value: !Ref "User1Key"
    Description: AWSAccessKeyId of User 1
  SecretKey:
    Value: !GetAtt [User1Key, SecretAccessKey]
    Description: AWSSecretAccessKey of User 1
  AccessKey2:
    Value: !Ref "User2Key"
    Description: AWSAccessKeyId of User 2
  SecretKey2:
    Value: !GetAtt [User2Key, SecretAccessKey]
    Description: AWSSecretAccessKey of User 2

希望这有帮助

修改答案，使用IAM策略而不是bucket策略更正答案，将IAM策略改为BucketPolicy