文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >允许从IAM策略仅访问AWS S3中的单个文件

允许从IAM策略仅访问AWS S3中的单个文件
EN

Stack Overflow用户
提问于 2021-10-21 09:27:59
回答 2查看 91关注 0票数 0

我正在尝试仅允许访问S3文件夹中的特定文件,并在IAM策略下尝试

代码语言:javascript
复制
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "s3:GetLifecycleConfiguration",
            "s3:GetBucketTagging",
            "s3:GetInventoryConfiguration",
            "s3:GetObjectVersionTagging",
            "s3:ListBucketVersions",
            "s3:GetBucketLogging",
            "s3:ListBucket",
            "s3:GetAccelerateConfiguration",
            "s3:GetBucketPolicy",
            "s3:GetObjectVersionTorrent",
            "s3:GetObjectAcl",
            "s3:GetEncryptionConfiguration",
            "s3:GetBucketObjectLockConfiguration",
            "s3:GetIntelligentTieringConfiguration",
            "s3:GetBucketRequestPayment",
            "s3:GetObjectVersionAcl",
            "s3:GetObjectTagging",
            "s3:GetMetricsConfiguration",
            "s3:GetBucketOwnershipControls",
            "s3:GetBucketPublicAccessBlock",
            "s3:GetBucketPolicyStatus",
            "s3:ListBucketMultipartUploads",
            "s3:GetObjectRetention",
            "s3:GetBucketWebsite",
            "s3:GetBucketVersioning",
            "s3:GetBucketAcl",
            "s3:GetObjectLegalHold",
            "s3:GetBucketNotification",
            "s3:GetReplicationConfiguration",
            "s3:ListMultipartUploadParts",
            "s3:GetObject",
            "s3:GetObjectTorrent",
            "s3:GetBucketCORS",
            "s3:GetAnalyticsConfiguration",
            "s3:GetObjectVersionForReplication",
            "s3:GetBucketLocation",
            "s3:GetObjectVersion"
        ],
        "Resource": [
            "arn:aws:s3:::prod-bucket/folder1/folder2/*",
            "arn:aws:s3:::prod-bucket/folder3/folder4/my_file.csv",
        ]
    }
]

我能够读取folder2中的所有对象,但在尝试读取folder4中的my_file.csv时,它无法获取它。语法有问题吗?我尝试了多种方法,但不知道如何限制只读一个特定的文件。

amazon-web-services
amazon-s3
amazon-iam
EN

回答 2

Stack Overflow用户

发布于 2021-10-21 23:38:04

如果你不知道怎么写,你可以使用AWS Policy Generator,你可以有这样的东西。

代码语言:javascript
复制
{
  "Id": "VisualEditor0",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1634859177800",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::prod-bucket/folder3/folder4/my_file.csv",
      "Principal": "*"
    },
    {
      "Sid": "Stmt1634859274600",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::prod-bucket/folder1/folder2/*",
      "Principal": "*"
    }
  ]
}
票数 0
EN

Stack Overflow用户

发布于 2021-10-22 02:25:21

这个策略对我很有效:

代码语言:javascript
复制
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "s3:GetObject",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::my-bucket/folder3/folder4/my_file.csv"
        }
    ]
}

我将该策略放在一个IAM用户上,然后使用AWS CLI (作为该用户):

代码语言:javascript
复制
aws s3 cp s3://my-bucket/folder3/folder4/my_file.csv -

它成功地将我以该名称上传的文件打印到我的屏幕上。(连字符将其发送到stdout。)

票数 0
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/69659362

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档