提问者:小点点

我需要在用户策略中指定哪些操作才能将文件上传到S3?


如果我将管理员访问策略分配给我的S3用户,那么我可以轻松地将文件从我的Web应用程序上传到AWSS3。

策略名称:管理员访问

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

但是当我试图通过另一个策略限制他的权限时,我收到了来自Amazon-AccessDened的403错误。

请求标头:

Remote Address: [hidden]
Request URL:https://mydevelopmentbucket.s3-us-west-2.amazonaws.com/
Request Method:POST
Status Code:403 Forbidden

从Amazon S3返回的xml:

<?xml version="1.0" encoding="UTF-8"?>
<Error>
  <Code>AccessDenied</Code>
  <Message>Access Denied</Message>    
  <RequestId>B9DDXX267F8E201E</RequestId>      
  <HostId>gAU8sdlfkjsflkjsdZEmFT0VJwOG3FYdflkjdsfx6Po=</HostId>
</Error>

这些操作对于文件上传还不够吗?下面是修改(有限)的用户策略。

"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket"

limited_user政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUploadingInProduction",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::myproductionbucket/*"
            ]
        },
        {
            "Sid": "AllowUploadingInDevelopment",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::mydevelopmentbucket/*"
            ]
        }
    ]
}

开发桶策略:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "UploadFile",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::5503214313988:user/limited_user"
      },
      "Action": [
         "s3:DeleteObject",
          "s3:GetObject",
          "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::mydevelopmentbucket/*"
    },

    {
      "Sid": "ListBucket",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::5503214313988:user/limited_user"
      },
      "Action": [
         "s3:ListBucket"          
      ],
      "Resource": "arn:aws:s3:::mydevelopmentbucket"
    },

    {
      "Sid": "crossdomainAccess",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::mydevelopmentbucket/crossdomain.xml"
    }
  ]
}

请求有效载荷

------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="key"

3c23688b16c03b7491508ab97595b74ebd301ca6a4f0aaea74a23a81944e457c/avatars/gjRyRE20LzJsGHAwulI1QZqV77JpnPGmTLKrxvvnIpQSqe800zcHT8vvWGF0wVoC/cache2.jpg
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="AWSAccessKeyId"

AKIAIITCEYZCTQBJ4RUQ
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="acl"

public-read
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="policy"

ewogICAgImV4cGlyYXRpb24iOiAiMjAyMC0wMS0wMVQwMDowMDowMFoiLAogICAgImNvbmRpdGlvbnMiOiBbCiAgICAgICAgeyJidsdkfjsflksdjflksdfjHMtd2l0aCIsICIkQ29udGVudC1UeXBlIiwgIiJdLAogICAgICAgIFsic3RhcnRzLXdpdGgiLCAiJGZpbGVuYW1lIiwgIiJdLAogICAgICAgIHsic3VjY2Vzc19hY3Rpb25fc3RhdHVzIjogIjIwMSJ9LAogICAgICAgIFsiY29udGVudC1sZW5ndGgtcmFuZ2UiLCAwLCA1MjQyODgwMDBdCiAgICBdCn0=
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="signature"

svw7geEWRWER88ERLaxNiIY=
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="Content-Type"

image/jpeg
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="filename"

cache2.jpg
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="success_action_status"

201
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="file"; filename="undefined"
Content-Type: image/png


------WebKitFormBoundaryGGlyxVetpT9vWBGi--

我的角度指令:

$scope.upload = function(dataUrl) {

    Upload.upload({
        url: '<%= ENV["S3_UPLOAD_URL"] %>',
        method: 'POST',
        data: {
            key: 'avatars/' + $scope.picFile.name, 
            AWSAccessKeyId: '<%= ENV["AWS_ACCESS_KEY_ID"] %>',
            acl: 'public-read', 
            policy: $scope.policy,
            signature: $scope.signature,
            "Content-Type": $scope.picFile.type != '' ? $scope.picFile.type : 'application/octet-stream', 
            filename: $scope.picFile.name, 
            success_action_status: 201,
            file: Upload.dataUrltoBlob(dataUrl)
        }
    })
    .then(
        function (resp) {
            console.log('Success');                    
        },
        function(resp) {
            console.log('Error');
        },
        function(evt) {
            $scope.progressPercentage = parseInt(100.0 * evt.loaded / evt.total);                    
        }
    );  
};

共1个答案

匿名用户

我需要在我的limited_user政策中再添加2个操作:

"s3:GetObjectAcl",
"s3:PutObjectAcl"