是否需要通过控制台复制S3文件的权限?
是否需要通过控制台复制S3文件的权限?
提问于 2020-07-06 19:59:44
我正在尝试通过亚马逊网络服务控制台在S3中重命名一个对象。
我有一个角色,我附加了两个策略。
"read“权限
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetAccelerateConfiguration",
"s3:GetAnalyticsConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectTagging",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionTorrent",
"s3:GetReplicationConfiguration",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::bfe-dp-test3-pos-lz",
"arn:aws:s3:::bfe-dp-test3-pos-lz/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:HeadBucket"
],
"Resource": "*"
}
]
}和一组“写”权限
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketWebsite",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetBucketLocation",
"s3:GetBucketObjectLockConfiguration",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectTagging",
"s3:GetObjectVersion",
"s3:ListBucket",
"s3:PutAccelerateConfiguration",
"s3:PutAnalyticsConfiguration",
"s3:PutBucketCORS",
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:PutBucketRequestPayment",
"s3:PutBucketVersioning",
"s3:PutBucketWebsite",
"s3:PutEncryptionConfiguration",
"s3:PutInventoryConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutMetricsConfiguration",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectTagging",
"s3:PutReplicationConfiguration",
"s3:ReplicateDelete",
"s3:ReplicateObject",
"s3:RestoreObject"
],
"Resource": [
"arn:aws:s3:::bfe-dp-test3-pos-lz",
"arn:aws:s3:::bfe-dp-test3-pos-lz/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:HeadBucket"
],
"Resource": "*"
}
]
}然而,当我试图通过AWS控制台重命名一个文件(对象)时,我得到了一个失败的错误消息,没有详细信息...
你知道可能缺少哪些额外的权限吗?
回答 2
Stack Overflow用户
发布于 2020-07-06 20:44:48
我尝试用我自己的存储桶复制问题,我发现您的两个策略没有问题。
我的验证流程:
- 创建两个managed policies:one
read和onewriterole described. - Create an IAM role包含这两个策略。信任策略是我的沙箱帐户
arn:aws:iam::xxxx:root - Use console到Switch Role,以便假定在步骤2中创建的角色。
- 在假定的角色中,我尝试对存储桶中的对象执行,没有发现任何问题。我也可以将对象上传到存储桶中。
因此,在我看来,还发生了一些其他的事情。也许你在角色中的其他策略有什么问题?或者存储桶有一些策略拒绝某些操作?如注释中所述,如果对象已加密,则角色需要额外的KMS权限。
Stack Overflow用户
发布于 2020-07-06 20:55:03
在我上面的特殊情况下,我错过了加密的机会!
我不得不把这个加到我的“已读”策略中
{
"Sid": "kmsAccess",
"Effect": "Allow",
"Action": [
"kms:List*",
"kms:*"
],
"Resource": "*"
},谢谢你的帮忙
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/62755606
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号