Python 频谱S3访问被拒绝
我正试图通过红移光谱将拼花地板数据加载到红移中 我有我的信任关系等设置,可以承担红移罚款的作用 然而,我得到一个S3访问拒绝错误,我似乎无法解决 S3桶策略:Python 频谱S3访问被拒绝,python,amazon-web-services,amazon-s3,amazon-cloudformation,aws-sam,Python,Amazon Web Services,Amazon S3,Amazon Cloudformation,Aws Sam,我正试图通过红移光谱将拼花地板数据加载到红移中 我有我的信任关系等设置,可以承担红移罚款的作用 然而,我得到一个S3访问拒绝错误,我似乎无法解决 S3桶策略: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal&q
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<BUCKET>",
"arn:aws:s3:::<BUCKET>/*"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"<ADMIN ROLE 1 ARN>",
"<ADMIN ROLE 2 ARN>"
]
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetBucketNotification",
"s3:GetBucketVersioning",
"s3:DeleteObject",
"s3:PutObject",
"s3:ListBucket",
"s3:GetObject",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::<BUCKET>",
"arn:aws:s3:::<BUCKET>/*"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456781234:role/GlueRole",
"arn:aws:iam::123456781234:role/ExtractSQLRole",
"arn:aws:iam::123456781234:role/RedshiftRole"
]
}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<BUCKET>/*",
"arn:aws:s3:::<BUCKET>"
],
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": [
"<ADMIN ROLE 1 ARN>",
"<ADMIN ROLE 2 ARN>",
"arn:aws:iam::123456781234:role/GlueRole",
"arn:aws:iam::123456781234:role/ExtractSQLRole",
"arn:aws:iam::123456781234:role/RedshiftRole"
]
}
}
}
]
}
粘合角色:
GlueRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: glue.amazonaws.com
Action: sts:AssumeRole
- Effect: Allow
Principal:
Service: redshift.amazonaws.com
Action: sts:AssumeRole
Condition:
StringEquals:
sts:ExternalId:
- arn:aws:iam::123456781234:role/GlueRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole
通过此操作,我得到了一个表列表,但始终存在以下错误:
我需要保持桶安全,只有某些角色,但也需要频谱查询它。。。有什么建议吗?对于你的所有原则,你都有明确的否定:
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<BUCKET>/*",
"arn:aws:s3:::<BUCKET>"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"<ADMIN ROLE 1 ARN>",
"<ADMIN ROLE 2 ARN>",
"arn:aws:iam::123456781234:role/GlueRole",
"arn:aws:iam::123456781234:role/ExtractSQLRole",
"arn:aws:iam::123456781234:role/RedshiftRole"
]
}
}
}
{
“效果”:“拒绝”,
“委托人”:“*”,
“行动”:“s3:*”,
“资源”:[
“arn:aws:s3::/*”,
“arn:aws:s3::”
],
“条件”:{
“ArnEquals”:{
“aws:PrincipalArn”:[
"",
"",
“arn:aws:iam::123456781234:role/GlueRole”,
“arn:aws:iam::123456781234:role/ExtractSQLRole”,
“arn:aws:iam::123456781234:role/RedshiftRole”
]
}
}
}
拒绝总是赢,因此您将总是被拒绝,并且没有
allow
会更改它。我不知道你想用这个来实现什么。也许你想使用arnotequals
?你有明确的拒绝作为你的所有原则:
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<BUCKET>/*",
"arn:aws:s3:::<BUCKET>"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"<ADMIN ROLE 1 ARN>",
"<ADMIN ROLE 2 ARN>",
"arn:aws:iam::123456781234:role/GlueRole",
"arn:aws:iam::123456781234:role/ExtractSQLRole",
"arn:aws:iam::123456781234:role/RedshiftRole"
]
}
}
}
{
“效果”:“拒绝”,
“委托人”:“*”,
“行动”:“s3:*”,
“资源”:[
“arn:aws:s3::/*”,
“arn:aws:s3::”
],
“条件”:{
“ArnEquals”:{
“aws:PrincipalArn”:[
"",
"",
“arn:aws:iam::123456781234:role/GlueRole”,
“arn:aws:iam::123456781234:role/ExtractSQLRole”,
“arn:aws:iam::123456781234:role/RedshiftRole”
]
}
}
}
拒绝总是赢,因此您将总是被拒绝,并且没有allow
会更改它。我不知道你想用这个来实现什么。也许您想使用arnotequals
我试图通过红移光谱将数据加载到红移光谱中
关于这一点,我只想说一句——上一次我查看(可能是两年前)Spectrum时发现CSV文件存在许多问题,一些基本问题,以至于我认为CSV的Spectrum不适合在生产中使用。如果您使用的是CSV flies,我强烈建议您使用COPY
,而不是Spectrum
我试图通过红移光谱将数据加载到红移光谱中
关于这一点,我只想说一句——上一次我查看(可能是两年前)Spectrum时发现CSV文件存在许多问题,一些基本问题,以至于我认为CSV的Spectrum不适合在生产中使用。如果您使用的是CSV flies,我强烈建议您使用
复制
,而不是频谱。啊,这是一个打字错误,因为我一直在玩弄这项政策。它设置为ArnNotEquals。固定在原来的职位。谢谢。啊,这是一个打字错误,因为我一直在玩弄这个政策。它设置为ArnNotEquals。固定在原来的职位。谢谢。谢谢,我正在加载已分区的拼花地板,因此Spectrum似乎是限制分区荷载的最佳解决方案。谢谢,我正在加载已分区的拼花地板,因此Spectrum似乎是限制分区荷载的最佳解决方案。