Amazon web services AmazonS3使用boto/boto3修改bucket策略_Amazon Web Services_Amazon S3_Boto_Boto3

Amazon web services AmazonS3使用boto/boto3修改bucket策略

amazon-web-services amazon-s3

Amazon web services AmazonS3使用boto/boto3修改bucket策略,amazon-web-services,amazon-s3,boto,boto3,Amazon Web Services,Amazon S3,Boto,Boto3,我正在寻找使用boto/boto3修改S3存储桶策略。我在boto3中找到了两种模式，通过它们我们可以对bucket策略执行操作 # i can get bucket policy object as follows import boto3 s3_conn = boto3.resource('s3') bucket_policy = s3_conn.BucketPolicy('bucket_name') # i can make put(), load(), policy on bucket_

我正在寻找使用boto/boto3修改S3存储桶策略。我在boto3中找到了两种模式，通过它们我们可以对bucket策略执行操作

# i can get bucket policy object as follows
import boto3
s3_conn = boto3.resource('s3')
bucket_policy = s3_conn.BucketPolicy('bucket_name')
# i can make put(), load(), policy on bucket_policy object.

#similar in other way i can use following code
policy = s3_conn.get_bucket_policy(Bucket='bucket_name')
# similar to this there are two other calls put_bucket_policy and delete_bucket_policy.

我正在寻找更新桶策略，在其中我可以添加更多属性

我想在以下策略的语句键下再添加一个条目

{
    "Version": "2012-10-17",
    "Id": "Policy14564645656",
    "Statement": [{
        "Sid": "Stmt1445654645618",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::6164563645030:root"
        },
        "Action": "s3:Get*",
        "Resource": "arn:aws:s3:::bucket_name/abc/*"
    }]
}

有什么直接的方法可以做到这一点吗。一种非常奇怪的方法是在JSON中添加条目，然后将其作为新策略，但我正在寻找一种调用，它允许用户在不知道现有策略的情况下更新策略。

IAM没有提供一种更新策略的方法，而不提供一个完整、有效的策略作为替换。您需要执行PUT，传入原始策略名称。

当前boto3 API没有附加bucket策略的功能，无论是否添加其他项/元素/属性。您需要自己加载和操作JSON。例如，编写脚本将策略加载到dict中，附加“Statement”元素列表，然后使用policy.put替换整个策略。如果没有原始语句id，将附加用户策略。但是，无法判断后面的用户策略是否会覆盖前面的用户策略的规则

{
    "Version": "2012-10-17",
    "Id": "Policy14564645656",
    "Statement": [{
        "Sid": "Stmt1445654645618",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::6164563645030:root"
        },
        "Action": "s3:Get*",
        "Resource": "arn:aws:s3:::bucket_name/abc/*"
    }]
}

比如说

import boto3
s3_resource = boto3.resource('s3')
bucket_policy = s3_resource.BucketPolicy('bucket_name')

# Or use client to get Bucket policy
s3_client = boto3.client('s3')
policy = s3_client.get_bucket_policy(Bucket='bucket_name')

# assign policy using s3 resource 
user_policy = { "Effect": "Allow",... } 
new_policy =  policy['Statement'].append(user_policy)
bucket_policy.put(Policy=new_policy)

用户不需要知道流程中的旧策略

我有类似的要求，必须以编程方式修改bucket和KMS策略。我提出了自己的类，该类将策略和语句视为对象。它被包裹在一个“awspolicy”的pip包中

我希望这能有所帮助。快速示例：

import boto3
from awspolicy import BucketPolicy

s3_client = boto3.client('s3')
bucket_name = 'hailong-python'

# Load the bucket policy as an object
bucket_policy = BucketPolicy(serviceModule=s3_client, resourceIdentifer=bucket_name)

# Select the statement that will be modified
statement_to_modify = bucket_policy.select_statement('AutomatedRestrictiveAccess')

# Insert new_user_arn into the list of Principal['AWS']
new_user_arn = 'arn:aws:iam::888888888888:user/daniel'
statement_to_modify.Principal['AWS'].append(new_user_arn)

# Save change of the statement
statement_to_modify.save()

# Save change of the policy. This will update the bucket policy
statement_to_modify.source_policy.save() # Or bucket_policy.save()

您需要一个Client（）来调用get\u bucket\u策略。