Amazon web services 控制台登录和api之间的AWS S3 ACL问题不一致
我希望有人能够解释为什么我在控制台登录和api登录之间出现授权错误。我有一个可以访问特定S3 bucket的客户端,该客户端对bucket具有完全CRUD访问权限,能够通过控制台执行下载、创建和删除,但通过API访问时,如果他们提前知道密钥,但在尝试读取bucket中对象的密钥时收到未经授权的错误,他们也可以下载视图 以下策略与用户帐户关联,以尝试将该用户仅隔离到单个S3存储桶Amazon web services 控制台登录和api之间的AWS S3 ACL问题不一致,amazon-web-services,amazon-s3,Amazon Web Services,Amazon S3,我希望有人能够解释为什么我在控制台登录和api登录之间出现授权错误。我有一个可以访问特定S3 bucket的客户端,该客户端对bucket具有完全CRUD访问权限,能够通过控制台执行下载、创建和删除,但通过API访问时,如果他们提前知道密钥,但在尝试读取bucket中对象的密钥时收到未经授权的错误,他们也可以下载视图 以下策略与用户帐户关联,以尝试将该用户仅隔离到单个S3存储桶 { "Statement": [ { "Sid": "AllowGroupToSeeBuck
{
"Statement": [
{
"Sid": "AllowGroupToSeeBucketListAndAlsoAllowGetBucketLocationRequiredForListBucket",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*",
"Condition": {}
},
{
"Sid": "AllowRootLevelListingOfCompanyBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::mybucket",
"Condition": {
"StringEquals": {
"s3:prefix": "",
"s3:delimiter": "/"
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObjectVersionAcl",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": "arn:aws:s3:::mybucket/*",
"Condition": {}
}
]
}
以下是未经授权的api调用失败:
-=-=-=-
import boto, boto.s3
s3conn = boto.s3.connection.S3Connection(aws_access_key_id=ACCESS_KEY,
aws_secret_access_key=SECRET_KEY,
is_secure=True,
debug=0)
# This line fails with "403 Forbidden" b/c it tries to read the keys in # the bucket:
#s3bucket = s3conn.get_bucket('mybucket')
# This line does NOT try to read the keys and therefore succeeds:
s3bucket = s3conn.get_bucket('mybucket', validate=False)
# This loop fails with "403 Forbidden" on the very first iteration:
#for k in s3bucket.list():
# print k
# This line works, but I had to use the webpage to learn the name of the # key first.
k = s3bucket.get_key('specificfilename.csv')
print k
# This line works.
print k.generate_url(expires_in=10) + '\n'
正如Bob Kinney提到的,问题是由以下情况引起的:
"Condition": {
"StringEquals": {
"s3:prefix": "",
"s3:delimiter": "/"
}
}
基本上,您将ListBucket
操作限制为与该条件匹配的调用,但当您尝试执行时:
s3bucket = s3conn.get_bucket('mybucket')
boto将尝试在没有前缀和分隔符的情况下执行验证,以验证bucket是否存在以及用户是否可以访问它。由于该调用与您的条件不匹配,因此将失败
以下方法确实有效:
s3bucket = s3conn.get_bucket('mybucket', validate=False)
因为在本例中,boto只是跳过了我上面描述的验证。如果跳过此验证并执行:
for k in s3bucket.list():
由于您尝试运行的list()
调用与您的条件不匹配(默认情况下前缀和分隔符为空),因此最终会出现相同的问题
要修复IAM策略,只需删除
ListBucket
操作的条件。您应该提供更多详细信息,如与用户关联的IAM策略以及您设置的任何bucket策略。s3:ListBucket上的条件的用途是什么?这似乎是多余的。包含返回授权错误的API调用示例会很有帮助。从我用作参考的示例来看,这似乎是对能够查看指定文件夹的权限的限制,但是我可能使用了miss,miss理解了示例。虽然我确实注意到当我删除带有前缀和分隔符的ListBucket时,我无法看到目标bucket出现未经授权的错误。您可能只想删除条件,而不是整个语句。