amazon-s3 – 针对预签名URL的正确S3策略

2019年7月20日 533次阅读

我需要发布预先签名的URL,以允许用户将GET和PUT文件转换为特定的S3存储桶.我创建了一个IAM用户并使用其密钥创建预签名URL,并添加了嵌入该用户的自定义策略(参见下文).当我使用生成的URL时,我的策略出现AccessDenied错误.如果我将FullS3Access策略添加到IAM用户,则该文件可以是具有相同URL的GET或PUT,因此显然缺少我的自定义策略.这有什么问题?

这是我正在使用的自定义策略不起作用:

{
    "Statement": [
        {
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::MyBucket"
            ]
        },
        {
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:DeleteBucketPolicy",
                "s3:DeleteObject",
                "s3:GetBucketPolicy",
                "s3:GetLifecycleConfiguration",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListMultipartUploadParts",
                "s3:PutBucketPolicy",
                "s3:PutLifecycleConfiguration",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::MyBucket/*"
            ]
        }
    ]
}

最佳答案 存储桶权限与对象权限

您的策略的以下权限应该位于Bucket级别(arn:aws:s3 ::: MyBucket),而不是Bucket中的子路径(例如arn:aws:s3 ::: MyBucket / *):

> s3:CreateBucket
> s3:DeleteBucket
> s3:DeleteBucketPolicy
> s3:GetBucketPolicy
> s3:GetLifecycleConfiguration
> s3:ListBucket
> s3:ListBucketMultipartUploads
> s3:PutBucketPolicy
> s3:PutLifecycleConfiguration

见:Specifying Permissions in a Policy

但是,这不是您无法PUT或GET文件的原因.

得到

您已分配GetObject权限的事实意味着您应该能够从S3存储桶中获取对象.我通过将您的策略​​分配给用户,然后使用该用户的凭据访问对象并且它正常工作来测试这一点.

我还使用您的政策通过网络表单上传,并且它正常工作.

这是我用来上传的表单:

<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <title>S3 POST Form</title> 

  <style type="text/css"></style></head>

  <body> 
    <form action="https://<BUCKET-NAME>.s3.amazonaws.com/" method="post" enctype="multipart/form-data">
      <input type="hidden" name="key" value="uploads/${filename}">
      <input type="hidden" name="AWSAccessKeyId" value="<ACCESS-KEY>">
      <input type="hidden" name="acl" value="private"> 
      <input type="hidden" name="success_action_redirect" value="http://<BUCKET-NAME>.s3.amazonaws.com/ok.html">
      <input type="hidden" name="policy" value="<ENCODED-POLICY>">
      <input type="hidden" name="signature" value="<SIGNATURE>">
      <input type="hidden" name="Content-Type" value="image/jpeg">
      <!-- Include any additional input fields here -->

      File to upload to S3: 
      <input name="file" type="file"> 
      <br> 
      <input type="submit" value="Upload File to S3"> 
    </form>

以下是我生成签名的方法:

#!/usr/bin/python
import base64
import hmac, hashlib

policy_document = '{"expiration": "2018-01-01T00:00:00Z", "conditions": [ {"bucket": "<BUCKET-NAME>"}, ["starts-with", "$key", "uploads/"], {"acl": "private"}, {"success_action_redirect": "http://BUCKET-NAME.s3.amazonaws.com/ok.html"}, ["starts-with", "$Content-Type", ""], ["content-length-range", 0, 1048000] ] }'

AWS_SECRET_ACCESS_KEY = "<SECRET-KEY>"

policy = base64.b64encode(policy_document)

signature = base64.b64encode(hmac.new(AWS_SECRET_ACCESS_KEY, policy, hashlib.sha1).digest())

print policy
print
print signature
点赞