Amazon web services AWS S3&;IAM-定义用户只能访问(读取)特定文件夹的策略
我正试图让用户获得仅从某个文件夹下载的权限 我的S3 bucket称为“bucket data”,我有3个包含内容的文件夹Amazon web services AWS S3&;IAM-定义用户只能访问(读取)特定文件夹的策略,amazon-web-services,amazon-s3,Amazon Web Services,Amazon S3,我正试图让用户获得仅从某个文件夹下载的权限 我的S3 bucket称为“bucket data”,我有3个包含内容的文件夹 bucket-data folder01 folder02 folder03 如何定义用户只能从文件夹01和文件夹3下载的策略 截至目前,我已制定了以下政策: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow",
bucket-data
folder01
folder02
folder03
如何定义用户只能从文件夹01和文件夹3下载的策略
截至目前,我已制定了以下政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": ["arn:aws:s3:::bucket-data/folder01/*"]
}
]
}
但我得到了:
sftp> ls -la
Couldn't read directory: Permission denied
以下是教程:
到目前为止,我唯一要做的就是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "*"
}
]
}
S3的
ListBucket
操作应该作用于bucket资源,而不是对象级别。因此,为了使这项工作正常,您需要添加另一条语句
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": ["arn:aws:s3:::bucket-data/folder01/*"]
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket-data",
"Condition": {
"StringLike": {
"s3:prefix": "folder01/*"
}
}
}
]
}
我想你需要这样的东西:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket-data"
},
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": ["arn:aws:s3:::bucket-data/folder01/*", "arn:aws:s3:::bucket-data/folder03/*"]
}
]
}
您想要IAM用户特定权限,还是每个人都可以公开阅读?我会将策略附加到AWS传输sftp用户,不同的用户应有不同的权限从我为每个用户创建的策略中定义的文件夹下载数据(通过sftp)。这有意义吗?谢谢你的帮助。我仍然收到相同的错误:无法读取目录:权限被拒绝。我在开单时有两个警告。为GetAccessPointPolicy指定accesspoint资源ARN,然后再指定一个操作。2.为GetBucketLocation指定bucket resource ARN和22个其他操作。您能为两个文件夹展示它吗?folder01和folder03?@PhilippM
“s3:前缀”:[“folder01/*”,“folder03/*”]
但它不工作,仍然收到消息:无法读取目录:权限被拒绝。和2次警告。