Fatal编程技术网
  • amazon-web-services/
  • Amazon web services aws s3api放置桶网站-PutBucketWebsite操作:访问被拒绝

Amazon web services aws s3api放置桶网站-PutBucketWebsite操作:访问被拒绝

amazon-web-services amazon-s3

Amazon web services aws s3api放置桶网站-PutBucketWebsite操作:访问被拒绝,amazon-web-services,amazon-s3,aws-cli,Amazon Web Services,Amazon S3,Aws Cli,我正在尝试使用此命令设置静态网站宿主: aws s3api放桶网站——桶XXXX——网站配置file://assets/website.json website.json { "IndexDocument": { "Suffix": "index.html" }, "ErrorDocument": { "Key": "index.html" } } { "IndexDocument": { "Suffix"

我正在尝试使用此命令设置静态网站宿主:

aws s3api放桶网站——桶XXXX——网站配置file://assets/website.json

website.json

{
    "IndexDocument": {
        "Suffix": "index.html"
    },
    "ErrorDocument": {
        "Key": "index.html"
    }
}

{
    "IndexDocument": {
        "Suffix": "index.html"
    },
    "ErrorDocument": {
        "Key": "index.html"
    }
}
桶策略

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::XXXX/*"
        }
    ]
}
我得到了一个错误:

调用PutBucketWebsite操作时出错(AccessDenied):拒绝访问

我应该在桶策略中更改什么

您的bucket策略只允许您执行GET操作,但您希望执行PUT操作

正如您所提到的,您的IAM似乎具有管理员和完整的S3访问权限,但您没有特定存储桶的存储桶级别访问权限

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject
            ],
            "Resource": "arn:aws:s3:::XXXX/*"
        },
        {
             "Sid": "AllowPutBucket",
             "Effect": "Allow",
             "Action": [
                 "s3:*"
             ],
              "Resource": [
                 "arn:aws:s3:::bucketname",
                  "arn:aws:s3:::bucketname/*"
              ]
        }
    ]
}
此PUT操作需要S3:PutBucketWebsite的权限:

添加桶策略:

    aws s3api put-bucket-policy \
        --bucket XXXX \
        --policy file://s3-bucket-policy.json

{
    "Version": "2008-10-17",
    "Statement": [
         {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::XXXX/*"
         },
         {
            "Effect": "Allow",
            "Principal": {
               "AWS": "*"
            },
            "Action": [
               "S3:PutBucketWebsite"
            ],
            "Resource": "arn:aws:s3:::XXXX"
         }
    ]
}
s3 bucket policy.json:

    aws s3api put-bucket-policy \
        --bucket XXXX \
        --policy file://s3-bucket-policy.json

{
    "Version": "2008-10-17",
    "Statement": [
         {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::XXXX/*"
         },
         {
            "Effect": "Allow",
            "Principal": {
               "AWS": "*"
            },
            "Action": [
               "S3:PutBucketWebsite"
            ],
            "Resource": "arn:aws:s3:::XXXX"
         }
    ]
}
设置静态网站托管

aws s3api put-bucket-website \
    --bucket XXXX \
    --website-configuration file://website.json
website.json

{
    "IndexDocument": {
        "Suffix": "index.html"
    },
    "ErrorDocument": {
        "Key": "index.html"
    }
}

{
    "IndexDocument": {
        "Suffix": "index.html"
    },
    "ErrorDocument": {
        "Key": "index.html"
    }
}

PutBucketWebsite
是桶级操作,不是吗?您的策略仅适用于对象。我想我还需要bucket资源
arn:aws:s3:::XXXX/
@alex067谢谢你的回答,但Marcin是对的。此PUT操作需要S3:PutBucketWebsite权限。您的IAM角色看起来像什么?@alex067我有管理员访问权限和AmazonS3FullAccess权限