Warning: file_get_contents(/data/phpspider/zhask/data//catemap/1/amazon-web-services/12.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Amazon web services 简化多个AWS S3策略_Amazon Web Services_Amazon S3_Amazon Iam - Fatal编程技术网
Fatal编程技术网

Amazon web services 简化多个AWS S3策略

amazon-web-services amazon-s3

Amazon web services 简化多个AWS S3策略,amazon-web-services,amazon-s3,amazon-iam,Amazon Web Services,Amazon S3,Amazon Iam,是否有办法将下面给出的2条AWS IAM政策声明简化为一条 我想在bucket上允许ListBucket、GetBucketLocation、GetBucketPolicy、GetBucketACL操作,以及位于bucket内的主文件夹和子文件夹1、2、3 我有两条语句——一条允许对bucket进行操作,另一条允许对main文件夹和子文件夹进行操作。既然两个语句中的动作、效果和资源是相同的,那么是否有可能编写一个语句 谢谢 约翰 您可以使用通配符语句进一步压缩它 或者,如果您想让他们访问Ma

是否有办法将下面给出的2条AWS IAM政策声明简化为一条

我想在bucket上允许ListBucket、GetBucketLocation、GetBucketPolicy、GetBucketACL操作,以及位于bucket内的主文件夹和子文件夹1、2、3

我有两条语句——一条允许对bucket进行操作,另一条允许对main文件夹和子文件夹进行操作。既然两个语句中的动作、效果和资源是相同的,那么是否有可能编写一个语句

谢谢

约翰

您可以使用通配符语句进一步压缩它

或者,如果您想让他们访问Main文件夹中的所有内容

"Statement": [
    {
        "Effect": "Allow",
        "Sid": "AllowAccessToViewBucket",
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:GetBucketPolicy",
            "s3:GetBucketACL"
        ],
        "Resource": [
            "arn:aws:s3:::bucket",
            "arn:aws:s3:::bucket/mainfolder/*"
        ]
    }
]
现在请注意

该策略分为两部分,因为ListBucket操作需要对bucket的权限,而其他操作需要对bucket中的对象的权限。我们使用了两个不同的Amazon资源名(ARN)来指定bucket级别和对象级别的权限。第一个资源元素指定ListBucket操作的arn:aws:s3::test,以便应用程序可以列出测试bucket中的所有对象。第二个资源元素为GetObject、PutObject和DeletObject操作指定arn:aws:s3:::test/*以便应用程序可以读取、写入和删除测试bucket中的任何对象

感谢您的回复,本。我原以为,当对“文件夹”发出http/https请求时,它将通过bucket arn和前缀元素(如我的策略中所示),但您的策略似乎有效。那么,文件夹路径arn“arn:aws:s3:::bucket/folder”是否与我在策略中使用的检查此bucket arn“arn:aws:s3:::bucket”和前缀“folder”相同?我找不到任何说明这是真的资源,但如果是真的,我可以将文件夹路径arn用于任何bucket操作,而不是检查前缀。 
You can use a list of resources to combine these in to a single statement, like this

"Statement": [
    {
        "Effect": "Allow",
        "Sid": "AllowAccessToViewBucket",
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:GetBucketPolicy",
            "s3:GetBucketACL"
        ],
        "Resource": ["arn:aws:s3:::bucket",
                    "arn:aws:s3:::bucket/mainfolder",
                    "arn:aws:s3:::bucket/mainfolder/subfolder1",
                    "arn:aws:s3:::bucket/mainfolder/subfolder2",
                    "arn:aws:s3:::bucket/mainfolder/subfolder3"
        ]
    }
]

"Statement": [
    {
        "Effect": "Allow",
        "Sid": "AllowAccessToViewBucket",
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:GetBucketPolicy",
            "s3:GetBucketACL"
        ],
        "Resource": [
            "arn:aws:s3:::bucket",
            "arn:aws:s3:::bucket/mainfolder",
            "arn:aws:s3:::bucket/mainfolder/*"
        ]
    }
]

"Statement": [
    {
        "Effect": "Allow",
        "Sid": "AllowAccessToViewBucket",
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:GetBucketPolicy",
            "s3:GetBucketACL"
        ],
        "Resource": [
            "arn:aws:s3:::bucket",
            "arn:aws:s3:::bucket/mainfolder/*"
        ]
    }
]