Python 频谱S3访问被拒绝
我正试图通过红移光谱将拼花地板数据加载到红移中 我有我的信任关系等设置,可以承担红移罚款的作用 然而,我得到一个S3访问拒绝错误,我似乎无法解决 S3桶策略:Python 频谱S3访问被拒绝,python,amazon-web-services,amazon-s3,amazon-cloudformation,aws-sam,Python,Amazon Web Services,Amazon S3,Amazon Cloudformation,Aws Sam,我正试图通过红移光谱将拼花地板数据加载到红移中 我有我的信任关系等设置,可以承担红移罚款的作用 然而,我得到一个S3访问拒绝错误,我似乎无法解决 S3桶策略: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal&q
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<BUCKET>",
"arn:aws:s3:::<BUCKET>/*"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"<ADMIN ROLE 1 ARN>",
"<ADMIN ROLE 2 ARN>"
]
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetBucketNotification",
"s3:GetBucketVersioning",
"s3:DeleteObject",
"s3:PutObject",
"s3:ListBucket",
"s3:GetObject",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::<BUCKET>",
"arn:aws:s3:::<BUCKET>/*"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456781234:role/GlueRole",
"arn:aws:iam::123456781234:role/ExtractSQLRole",
"arn:aws:iam::123456781234:role/RedshiftRole"
]
}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<BUCKET>/*",
"arn:aws:s3:::<BUCKET>"
],
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": [
"<ADMIN ROLE 1 ARN>",
"<ADMIN ROLE 2 ARN>",
"arn:aws:iam::123456781234:role/GlueRole",
"arn:aws:iam::123456781234:role/ExtractSQLRole",
"arn:aws:iam::123456781234:role/RedshiftRole"
]
}
}
}
]
}
GlueRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: glue.amazonaws.com
Action: sts:AssumeRole
- Effect: Allow
Principal:
Service: redshift.amazonaws.com
Action: sts:AssumeRole
Condition:
StringEquals:
sts:ExternalId:
- arn:aws:iam::123456781234:role/GlueRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole
我需要保持桶安全,只有某些角色,但也需要频谱查询它。。。有什么建议吗?对于你的所有原则,你都有明确的否定:
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<BUCKET>/*",
"arn:aws:s3:::<BUCKET>"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"<ADMIN ROLE 1 ARN>",
"<ADMIN ROLE 2 ARN>",
"arn:aws:iam::123456781234:role/GlueRole",
"arn:aws:iam::123456781234:role/ExtractSQLRole",
"arn:aws:iam::123456781234:role/RedshiftRole"
]
}
}
}
{
“效果”:“拒绝”,
“委托人”:“*”,
“行动”:“s3:*”,
“资源”:[
“arn:aws:s3::/*”,
“arn:aws:s3::”
],
“条件”:{
“ArnEquals”:{
“aws:PrincipalArn”:[
"",
"",
“arn:aws:iam::123456781234:role/GlueRole”,
“arn:aws:iam::123456781234:role/ExtractSQLRole”,
“arn:aws:iam::123456781234:role/RedshiftRole”
]
}
}
}
拒绝总是赢,因此您将总是被拒绝,并且没有
allowarnotequals{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<BUCKET>/*",
"arn:aws:s3:::<BUCKET>"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"<ADMIN ROLE 1 ARN>",
"<ADMIN ROLE 2 ARN>",
"arn:aws:iam::123456781234:role/GlueRole",
"arn:aws:iam::123456781234:role/ExtractSQLRole",
"arn:aws:iam::123456781234:role/RedshiftRole"
]
}
}
}
{
“效果”:“拒绝”,
“委托人”:“*”,
“行动”:“s3:*”,
“资源”:[
“arn:aws:s3::/*”,
“arn:aws:s3::”
],
“条件”:{
“ArnEquals”:{
“aws:PrincipalArn”:[
"",
"",
“arn:aws:iam::123456781234:role/GlueRole”,
“arn:aws:iam::123456781234:role/ExtractSQLRole”,
“arn:aws:iam::123456781234:role/RedshiftRole”
]
}
}
}
allowarnotequalsCOPY关于这一点,我只想说一句——上一次我查看(可能是两年前)Spectrum时发现CSV文件存在许多问题,一些基本问题,以至于我认为CSV的Spectrum不适合在生产中使用。如果您使用的是CSV flies,我强烈建议您使用
复制