我有2个AWS账户.帐户A有S3桶’BUCKET’,其中我使用
Java api放置文件.我已配置我的’BUCKET’政策以允许跨帐户文件发布.
但是,当我尝试从帐户A打开此文件时,它说AccessDeniedAccess被hostId和requestId拒绝.
此文件使用java api通过帐户B发布,此文件与通过api发布的文件大小相同.我尝试更改文件大小,并在AWS S3控制台上显示新大小.
这是我的存储桶政策:
{
"Version": "2008-10-17",
"Id": "Policy1357935677554",
"Statement": [
{
"Sid": "Stmt1357935647218",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTB:user/accountb-user"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Sid": "Stmt1357935676138",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTB:user/accountb-user"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/*"
},
{
"Sid": "Stmt1357935676138",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTB:user/accountb-user"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket-name/*"
},
{
"Sid": "Stmt1357935647218",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTA:user/accounta-user"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Sid": "Stmt1357935676138",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTA:user/accounta-user"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket-name/*"
},
{
"Sid": "Stmt1357935676138",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTA:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
问题是当我尝试从帐户A下载/打开此文件时,我无法打开它.
最佳答案 问题是默认情况下,当AWS(cli或SDK)上传文件时,它仅通过s3 ACL授予对上传者的访问权限.
在这种情况下,要允许所有者读取上载的文件,上传者必须在上载期间明确授予对存储桶所有者的访问权限.例如:
>使用aws CLI(文档here):aws s3api put-object –bucket< bucketname> –key< filename> –acl bucket-owner-full-control
>使用nodejs API(文档here):您必须将AWS.S3.upload方法的params.ACL属性设置为“bucket-owner-full-control”
同时,您还可以确保存储桶拥有者对存储桶策略具有完全控制权(附加文档here):
{
“版本”:“2012-10-17”,
“声明”:[
{
“Sid”:“授予所有者完全控制开发”,
“效果”:“允许”,
“校长”:{
“AWS”:“arn:aws:iam :: ACCOUNTB:root”
},
“行动”:[
“S3:PutObject”
]
“资源”:[
“阿尔恩:AWS:S3 :::桶名称/ *”
]
“条件”:{
“StringEquals”:{
“s3:x-amz-acl”:“bucket-owner-full-control”
}
}
}
]
}
