我需要发布预先签名的URL,以允许用户将GET和PUT文件转换为特定的S3存储桶.我创建了一个IAM用户并使用其密钥创建预签名URL,并添加了嵌入该用户的自定义策略(参见下文).当我使用生成的URL时,我的策略出现AccessDenied错误.如果我将FullS3Access策略添加到IAM用户,则该文件可以是具有相同URL的GET或PUT,因此显然缺少我的自定义策略.这有什么问题?
这是我正在使用的自定义策略不起作用:
{
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::MyBucket"
]
},
{
"Action": [
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteObject",
"s3:GetBucketPolicy",
"s3:GetLifecycleConfiguration",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:PutBucketPolicy",
"s3:PutLifecycleConfiguration",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::MyBucket/*"
]
}
]
}
最佳答案 存储桶权限与对象权限
您的策略的以下权限应该位于Bucket级别(arn:aws:s3 ::: MyBucket),而不是Bucket中的子路径(例如arn:aws:s3 ::: MyBucket / *):
> s3:CreateBucket
> s3:DeleteBucket
> s3:DeleteBucketPolicy
> s3:GetBucketPolicy
> s3:GetLifecycleConfiguration
> s3:ListBucket
> s3:ListBucketMultipartUploads
> s3:PutBucketPolicy
> s3:PutLifecycleConfiguration
见:Specifying Permissions in a Policy
但是,这不是您无法PUT或GET文件的原因.
得到
您已分配GetObject权限的事实意味着您应该能够从S3存储桶中获取对象.我通过将您的策略分配给用户,然后使用该用户的凭据访问对象并且它正常工作来测试这一点.
放
我还使用您的政策通过网络表单上传,并且它正常工作.
这是我用来上传的表单:
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>S3 POST Form</title>
<style type="text/css"></style></head>
<body>
<form action="https://<BUCKET-NAME>.s3.amazonaws.com/" method="post" enctype="multipart/form-data">
<input type="hidden" name="key" value="uploads/${filename}">
<input type="hidden" name="AWSAccessKeyId" value="<ACCESS-KEY>">
<input type="hidden" name="acl" value="private">
<input type="hidden" name="success_action_redirect" value="http://<BUCKET-NAME>.s3.amazonaws.com/ok.html">
<input type="hidden" name="policy" value="<ENCODED-POLICY>">
<input type="hidden" name="signature" value="<SIGNATURE>">
<input type="hidden" name="Content-Type" value="image/jpeg">
<!-- Include any additional input fields here -->
File to upload to S3:
<input name="file" type="file">
<br>
<input type="submit" value="Upload File to S3">
</form>
以下是我生成签名的方法:
#!/usr/bin/python
import base64
import hmac, hashlib
policy_document = '{"expiration": "2018-01-01T00:00:00Z", "conditions": [ {"bucket": "<BUCKET-NAME>"}, ["starts-with", "$key", "uploads/"], {"acl": "private"}, {"success_action_redirect": "http://BUCKET-NAME.s3.amazonaws.com/ok.html"}, ["starts-with", "$Content-Type", ""], ["content-length-range", 0, 1048000] ] }'
AWS_SECRET_ACCESS_KEY = "<SECRET-KEY>"
policy = base64.b64encode(policy_document)
signature = base64.b64encode(hmac.new(AWS_SECRET_ACCESS_KEY, policy, hashlib.sha1).digest())
print policy
print
print signature