如何配置AWS IAM,使用户能够从桶中下载某些文件夹/前缀,而不是其他文件夹/前缀?
如何配置AWS IAM,使用户能够从桶中下载某些文件夹/前缀,而不是其他文件夹/前缀?
提问于 2020-04-08 15:08:35
我们需要在中配置一个IAM策略,允许某人使用CLI (命令行接口)从某些文件夹/前缀下载对象,但不能从其他文件夹下载对象。例如,如果我们的桶被称为"companybucket",那么我们有三个文件夹/前缀:
- companybucket/apples
- companybucket/oranges
- companybucket/bananas
我们需要外部用户能够下载“苹果”和“香蕉”文件夹中的对象,而不是橘子。
到目前为止,我们已经制定了以下IAM策略来开始使用“苹果”。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetLifecycleConfiguration",
"s3:GetBucketTagging",
"s3:GetInventoryConfiguration",
"s3:GetObjectVersionTagging",
"s3:ListBucketVersions",
"s3:GetBucketLogging",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketPolicy",
"s3:GetObjectVersionTorrent",
"s3:GetObjectAcl",
"s3:GetEncryptionConfiguration",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketRequestPayment",
"s3:GetAccessPointPolicyStatus",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketPolicyStatus",
"s3:ListBucketMultipartUploads",
"s3:GetObjectRetention",
"s3:GetBucketWebsite",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:GetObjectLegalHold",
"s3:GetBucketNotification",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:GetObject",
"s3:GetObjectTorrent",
"s3:DescribeJob",
"s3:GetBucketCORS",
"s3:GetAnalyticsConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetBucketLocation",
"s3:GetAccessPointPolicy",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::companybucket/apples",
"arn:aws:s3:::companybucket/apples/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:GetAccessPoint",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:ListJobs",
"s3:HeadBucket"
],
"Resource": "*"
}
]
}然后,在AWS控制台用户界面网站上,我们访问了IAM (标识和访问管理) >>用户>>选择了用户问题中的用户>>权限选项卡>>直接将策略附加给用户
然后,用户在CLI中执行以下命令:
aws s3 sync s3://companybucket/apples MYFILES 出现以下错误:“调用AccessDenied操作时发生错误( ListObjectsV2 ):访问被拒绝”
我们做错什么了?任何帮助都将不胜感激,谢谢。
回答 1
Stack Overflow用户
发布于 2020-04-08 16:32:12
下面的方法对我们来说是成功的,它允许在IAM中设置的AWS用户能够从桶中的某些文件夹(但不是全部)下载文件/对象。
FIRST,在IAM中设置以下策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStatement01",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::companybucket"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"apples",
"bananas"
]
}
}
},
{
"Sid": "AllowStatement02",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::companybucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"apples/*",
"bananas/*"
]
}
}
},
{
"Sid": "AllowStatement03",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::companybucket/apples/*",
"arn:aws:s3:::companybucket/bananas/*"
]
}
]
}第二个,直接将新创建的策略附加到IAM中的用户。
第三,告诉用户设置一个名为MYFILES的根级本地文件夹,然后在CLI (命令行接口)中输入以下命令:
aws s3 sync s3://companybucket/apples MYFILES 页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/61103941
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号