amazon-web-services – 跨账户中的Amazon S3文件“拒绝访问”例外

我有2个AWS账户.帐户A有S3桶’BUCKET’,其中我使用
Java api放置文件.我已配置我的’BUCKET’政策以允许跨帐户文件发布.

但是,当我尝试从帐户A打开此文件时,它说AccessDeniedAccess被hostId和requestId拒绝.

此文件使用java api通过帐户B发布,此文件与通过api发布的文件大小相同.我尝试更改文件大小,并在AWS S3控制台上显示新大小.
这是我的存储桶政策:

    {
"Version": "2008-10-17",
"Id": "Policy1357935677554",
"Statement": [
    {
        "Sid": "Stmt1357935647218",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::ACCOUNTB:user/accountb-user"
        },
        "Action": "s3:ListBucket",
        "Resource": "arn:aws:s3:::bucket-name"
    },
    {
        "Sid": "Stmt1357935676138",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::ACCOUNTB:user/accountb-user"
        },
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::bucket-name/*"
    },
    {
        "Sid": "Stmt1357935676138",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::ACCOUNTB:user/accountb-user"
        },
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::bucket-name/*"
    },
    {
        "Sid": "Stmt1357935647218",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::ACCOUNTA:user/accounta-user"
        },
        "Action": "s3:ListBucket",
        "Resource": "arn:aws:s3:::bucket-name"
    },
    {
        "Sid": "Stmt1357935676138",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::ACCOUNTA:user/accounta-user"
        },
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::bucket-name/*"
    },
    {
        "Sid": "Stmt1357935676138",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::ACCOUNTA:root"
        },
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::bucket-name/*"
    }
]

}

问题是当我尝试从帐户A下载/打开此文件时,我无法打开它.

最佳答案 问题是默认情况下,当AWS(cli或SDK)上传文件时,它仅通过s3 ACL授予对上传者的访问权限.

在这种情况下,要允许所有者读取上载的文件,上传者必须在上载期间明确授予对存储桶所有者的访问权限.例如:

>使用aws CLI(文档here):aws s3api put-object –bucket< bucketname> –key< filename> –acl bucket-owner-full-control
>使用nodejs API(文档here):您必须将AWS.S3.upload方法的params.ACL属性设置为“bucket-owner-full-control”

同时,您还可以确保存储桶拥有者对存储桶策略具有完全控制权(附加文档here):

{
    “版本”:“2012-10-17”,
    “声明”:[
        {
            “Sid”:“授予所有者完全控制开发”,
            “效果”:“允许”,
            “校长”:{
                “AWS”:“arn:aws:iam :: ACCOUNTB:root”
            },
            “行动”:[
                “S3:PutObject”
            ]
            “资源”:[
                “阿尔恩:AWS:S3 :::桶名称/ *”
            ]
            “条件”:{
                “StringEquals”:{
                    “s3:x-amz-acl”:“bucket-owner-full-control”
                }
            }
        }
    ]
}

点赞