如果我将管理员访问策略分配给我的S3用户,那么我可以轻松地将文件从我的Web应用程序上传到AWSS3。
策略名称:管理员访问
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
但是当我试图通过另一个策略限制他的权限时,我收到了来自Amazon-AccessDened的403错误。
请求标头:
Remote Address: [hidden]
Request URL:https://mydevelopmentbucket.s3-us-west-2.amazonaws.com/
Request Method:POST
Status Code:403 Forbidden
从Amazon S3返回的xml:
<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>B9DDXX267F8E201E</RequestId>
<HostId>gAU8sdlfkjsflkjsdZEmFT0VJwOG3FYdflkjdsfx6Po=</HostId>
</Error>
这些操作对于文件上传还不够吗?下面是修改(有限)的用户策略。
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket"
limited_user政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUploadingInProduction",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::myproductionbucket/*"
]
},
{
"Sid": "AllowUploadingInDevelopment",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mydevelopmentbucket/*"
]
}
]
}
开发桶策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UploadFile",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::5503214313988:user/limited_user"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::mydevelopmentbucket/*"
},
{
"Sid": "ListBucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::5503214313988:user/limited_user"
},
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::mydevelopmentbucket"
},
{
"Sid": "crossdomainAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mydevelopmentbucket/crossdomain.xml"
}
]
}
请求有效载荷
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="key"
3c23688b16c03b7491508ab97595b74ebd301ca6a4f0aaea74a23a81944e457c/avatars/gjRyRE20LzJsGHAwulI1QZqV77JpnPGmTLKrxvvnIpQSqe800zcHT8vvWGF0wVoC/cache2.jpg
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="AWSAccessKeyId"
AKIAIITCEYZCTQBJ4RUQ
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="acl"
public-read
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="policy"
ewogICAgImV4cGlyYXRpb24iOiAiMjAyMC0wMS0wMVQwMDowMDowMFoiLAogICAgImNvbmRpdGlvbnMiOiBbCiAgICAgICAgeyJidsdkfjsflksdjflksdfjHMtd2l0aCIsICIkQ29udGVudC1UeXBlIiwgIiJdLAogICAgICAgIFsic3RhcnRzLXdpdGgiLCAiJGZpbGVuYW1lIiwgIiJdLAogICAgICAgIHsic3VjY2Vzc19hY3Rpb25fc3RhdHVzIjogIjIwMSJ9LAogICAgICAgIFsiY29udGVudC1sZW5ndGgtcmFuZ2UiLCAwLCA1MjQyODgwMDBdCiAgICBdCn0=
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="signature"
svw7geEWRWER88ERLaxNiIY=
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="Content-Type"
image/jpeg
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="filename"
cache2.jpg
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="success_action_status"
201
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="file"; filename="undefined"
Content-Type: image/png
------WebKitFormBoundaryGGlyxVetpT9vWBGi--
我的角度指令:
$scope.upload = function(dataUrl) {
Upload.upload({
url: '<%= ENV["S3_UPLOAD_URL"] %>',
method: 'POST',
data: {
key: 'avatars/' + $scope.picFile.name,
AWSAccessKeyId: '<%= ENV["AWS_ACCESS_KEY_ID"] %>',
acl: 'public-read',
policy: $scope.policy,
signature: $scope.signature,
"Content-Type": $scope.picFile.type != '' ? $scope.picFile.type : 'application/octet-stream',
filename: $scope.picFile.name,
success_action_status: 201,
file: Upload.dataUrltoBlob(dataUrl)
}
})
.then(
function (resp) {
console.log('Success');
},
function(resp) {
console.log('Error');
},
function(evt) {
$scope.progressPercentage = parseInt(100.0 * evt.loaded / evt.total);
}
);
};
我需要在我的limited_user政策中再添加2个操作:
"s3:GetObjectAcl",
"s3:PutObjectAcl"