当权限为S3时，AccessDenied for ListObjects for S3 bucket:*

我得到:

在调用ListObjects操作时发生错误(AccessDenied): AccessDenied

当我试图从S3存储桶中获取文件夹时。

使用该命令:

aws s3 cp s3://bucket-name/data/all-data/ . --recursive

桶的IAM权限如下所示:

{
"Version": "version_id",
"Statement": [
    {
        "Sid": "some_id",
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::bucketname/*"
        ]
    }
] }

我需要改变什么才能成功复制和ls ?

当前回答

这是一个对我有用的策略。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::bucket-name"
      ]
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::bucket-name/*"
      ]
    }
  ]
}

2021-07-13 00:35:59

其他回答

您已经授予了对S3桶内的对象执行命令的权限，但没有授予对桶本身执行任何操作的权限。

稍微修改一下你的策略会是这样的:

{
  "Version": "version_id",
  "Statement": [
    {
        "Sid": "some_id",
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::bucketname",
            "arn:aws:s3:::bucketname/*"
        ]
    }
  ] 
}

然而，这可能会给予超出所需的许可。遵循AWS IAM授予最小特权的最佳实践将看起来像这样:

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "s3:ListBucket"
          ],
          "Resource": [
              "arn:aws:s3:::bucketname"
          ]
      },
      {
          "Effect": "Allow",
          "Action": [
              "s3:GetObject"
          ],
          "Resource": [
              "arn:aws:s3:::bucketname/*"
          ]
      }
  ]
}

2016-08-04 19:04:31

这是一个对我有用的策略。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::bucket-name"
      ]
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::bucket-name/*"
      ]
    }
  ]
}

2021-07-13 00:35:59

我无法访问S3，因为

首先，我在实例上配置了密钥访问(在启动后不可能附加角色) 先把这事忘了几个月将角色附加到实例尝试访问。配置的密钥优先级高于role，由于没有授予用户必要的S3权限，因此拒绝访问。

解决方案:rm -rf .aws/credentials，那么aws使用role。

2017-03-30 20:05:17

您必须通过“arn:aws:s3:::bucketname”或“arn:aws:3:: bucketname*”为桶指定Resource。后者是首选，因为它也允许对桶的对象进行操作。注意这里没有斜杠!

列出对象是Bucket上的一个操作。因此，需要执行“s3:ListBucket”操作。向Bucket中添加对象是object上的操作。因此，需要动作“s3:PutObject”。当然，您可能希望根据需要添加其他操作。

{
"Version": "version_id",
"Statement": [
    {
        "Sid": "some_id",
        "Effect": "Allow",
        "Action": [
            "s3:ListBucket",
            "s3:PutObject"
        ],
        "Resource": [
            "arn:aws:s3:::bucketname*"
        ]
    }
] 
}

2017-04-05 12:42:59

我得到了相同的错误时使用策略如下，虽然我有“s3:ListBucket”s3:ListObjects操作。

{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "s3:ListBucket",
            "s3:GetObject",
            "s3:GetObjectAcl"
        ],
        "Resource": [
            "arn:aws:s3:::<bucketname>/*",
            "arn:aws:s3:::*-bucket/*"
        ],
        "Effect": "Allow"
    }
  ]
 }

然后我通过添加一行来修复它 “攻击:aws: s3::: bucketname”

{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "s3:ListBucket",
            "s3:GetObject",
            "s3:GetObjectAcl"
        ],
        "Resource": [
             "arn:aws:s3:::<bucketname>",
            "arn:aws:s3:::<bucketname>/*",
            "arn:aws:s3:::*-bucket/*"
        ],
        "Effect": "Allow"
    }
 ]
}

2017-07-03 04:33:23

当权限为S3时，AccessDenied for ListObjects for S3 bucket:*

推荐文章

最新文章

标签