Amazon web services 简化多个AWS S3策略
是否有办法将下面给出的2条AWS IAM政策声明简化为一条 我想在bucket上允许ListBucket、GetBucketLocation、GetBucketPolicy、GetBucketACL操作,以及位于bucket内的主文件夹和子文件夹1、2、3 我有两条语句——一条允许对bucket进行操作,另一条允许对main文件夹和子文件夹进行操作。既然两个语句中的动作、效果和资源是相同的,那么是否有可能编写一个语句 谢谢 约翰Amazon web services 简化多个AWS S3策略,amazon-web-services,amazon-s3,amazon-iam,Amazon Web Services,Amazon S3,Amazon Iam,是否有办法将下面给出的2条AWS IAM政策声明简化为一条 我想在bucket上允许ListBucket、GetBucketLocation、GetBucketPolicy、GetBucketACL操作,以及位于bucket内的主文件夹和子文件夹1、2、3 我有两条语句——一条允许对bucket进行操作,另一条允许对main文件夹和子文件夹进行操作。既然两个语句中的动作、效果和资源是相同的,那么是否有可能编写一个语句 谢谢 约翰 您可以使用通配符语句进一步压缩它 或者,如果您想让他们访问Ma
您可以使用通配符语句进一步压缩它 或者,如果您想让他们访问Main文件夹中的所有内容
"Statement": [
{
"Effect": "Allow",
"Sid": "AllowAccessToViewBucket",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:GetBucketACL"
],
"Resource": [
"arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/mainfolder/*"
]
}
]
现在请注意
该策略分为两部分,因为ListBucket操作需要对bucket的权限,而其他操作需要对bucket中的对象的权限。我们使用了两个不同的Amazon资源名(ARN)来指定bucket级别和对象级别的权限。第一个资源元素指定ListBucket操作的arn:aws:s3::test,以便应用程序可以列出测试bucket中的所有对象。第二个资源元素为GetObject、PutObject和DeletObject操作指定arn:aws:s3:::test/*以便应用程序可以读取、写入和删除测试bucket中的任何对象
感谢您的回复,本。我原以为,当对“文件夹”发出http/https请求时,它将通过bucket arn和前缀元素(如我的策略中所示),但您的策略似乎有效。那么,文件夹路径arn“arn:aws:s3:::bucket/folder”是否与我在策略中使用的检查此bucket arn“arn:aws:s3:::bucket”和前缀“folder”相同?我找不到任何说明这是真的资源,但如果是真的,我可以将文件夹路径arn用于任何bucket操作,而不是检查前缀。
You can use a list of resources to combine these in to a single statement, like this
"Statement": [
{
"Effect": "Allow",
"Sid": "AllowAccessToViewBucket",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:GetBucketACL"
],
"Resource": ["arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/mainfolder",
"arn:aws:s3:::bucket/mainfolder/subfolder1",
"arn:aws:s3:::bucket/mainfolder/subfolder2",
"arn:aws:s3:::bucket/mainfolder/subfolder3"
]
}
]
"Statement": [
{
"Effect": "Allow",
"Sid": "AllowAccessToViewBucket",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:GetBucketACL"
],
"Resource": [
"arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/mainfolder",
"arn:aws:s3:::bucket/mainfolder/*"
]
}
]
"Statement": [
{
"Effect": "Allow",
"Sid": "AllowAccessToViewBucket",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:GetBucketACL"
],
"Resource": [
"arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/mainfolder/*"
]
}
]