Warning: file_get_contents(/data/phpspider/zhask/data//catemap/0/amazon-s3/2.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Amazon web services AWS S3跨帐户访问的GetObject错误_Amazon Web Services_Amazon S3_Permissions - Fatal编程技术网
Fatal编程技术网

Amazon web services AWS S3跨帐户访问的GetObject错误

amazon-web-services amazon-s3 permissions

Amazon web services AWS S3跨帐户访问的GetObject错误,amazon-web-services,amazon-s3,permissions,Amazon Web Services,Amazon S3,Permissions,我是AWSAccountC的所有者,需要列表并获得由另一个人/团队拥有的BucketName的权限 创建的bucket策略附在下面。AccountA和AccountB的策略已经存在,我添加了AccountC的策略,如下所示 { "Version": "2012-10-17", "Statement": [ { "Sid": "AccessA"

我是AWSAccountC的所有者,需要列表并获得由另一个人/团队拥有的BucketName的权限

创建的bucket策略附在下面。AccountAAccountB的策略已经存在,我添加了AccountC的策略,如下所示

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AccessA",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::AccountA:root",
                    "arn:aws:iam::AccountA:user/ABC-Prod"
                ]
            },
            "Action": [
                "s3:GetObject",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::BucketName/*",
                "arn:aws:s3:::BucketName"
            ]
        },
        {
            "Sid": "AccessB",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::AccountB:user/service-user",
                    "arn:aws:iam::AccountB:role/BatchUserRole"
                ]
            },
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::BucketName/*",
                "arn:aws:s3:::BucketName"
            ]
        },
        {
            "Sid": "AccessC",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::AccountC:root"
            },
            "Action": "s3:List*",
            "Resource": "arn:aws:s3:::BucketName"
        },
        {
            "Sid": "AccessD",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::AccountC:root"
            },
            "Action": "s3:Get*",
            "Resource": "arn:aws:s3:::BucketName/*"
        }
    ]
}
我可以使用 
aws s3 ls BucketName

然而,当我尝试 aws s3 cp——递归BucketName/folderName/,它给我一个拒绝访问错误

调用GetObject操作时发生错误(AccessDenied):拒绝访问

在bucket上启用了Block public access,但是我认为它不会影响,因为bucket策略已经添加

尝试以多种方式写入策略,但错误仍然存在。有人能帮我理解我在这里遗漏了什么吗?非常感谢

除非对对象设置了ACL Bucket owner完全控制,否则Bucket策略不会应用于其他帐户拥有的对象。我已经被这个问题困扰了很多次,但从来没有发现它被清晰地记录在案……@jordanm此bucket策略被添加到我需要在帐户C中访问的bucket中,jordanm说如果bucket中的对象不属于拥有该bucket的帐户,则bucket策略无关紧要-这仅适用于外部帐户执行了
PutObject
操作。有关如何强制bucket所有者访问对象的信息,请参见。导致AccessDenied的更常见原因是您无法访问用于加密/解密S3数据的KMS密钥-您是否启用了KMS的SSE?并且您确实需要通过跨帐户访问,您需要访问源帐户和目标帐户中的S3。除了我已经发布的链接之外,你也需要通过这两个链接,我非常确定你的问题通过这两个链接都得到了解决。