我正在嘗試使用 NodeJs (aws-sdk) 將物件上傳到 AWS 存盤桶,但出現訪問被拒絕錯誤。
我使用 accessKeyId 和 secretAccessKey 的 IAM 用戶也被授予訪問我嘗試上傳到的 s3 存盤桶的權限。
后端代碼
const s3 = new AWS.S3({
accessKeyId: this.configService.get<string>('awsAccessKeyId'),
secretAccessKey: this.configService.get<string>('awsSecretAccessKey'),
params: {
Bucket: this.configService.get<string>('awsPublicBucketName'),
},
region: 'ap-south-1',
});
const uploadResult = await s3
.upload({
Bucket: this.configService.get<string>('awsPublicBucketName'),
Body: dataBuffer,
Key: `${folder}/${uuid()}-${filename}`,
})
.promise();
桶策略
{
"Version": "2012-10-17",
"Id": "PolicyXXXXXXXXX",
"Statement": [
{
"Sid": "StmtXXXXXXXXXXXXXX",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::some-random-bucket"
},
{
"Sid": "StmtXXXXXXXXXXX",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXX:user/some-random-user"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::some-random-bucket"
}
]
}
uj5u.com熱心網友回復:
你有一個明確的拒絕宣告,拒絕任何人在 上做任何與 S3 相關的事情some-random-bucket。
根據官方IAM 策略評估邏輯,這將覆寫策略中的任何允許陳述句。
您可以執行以下任何操作:
- 從策略中洗掉拒絕陳述句
- 修改拒絕陳述句并用于從拒絕陳述句
NotPrincipal中排除some-random-user - 修改拒絕陳述句并使用
aws:PrincipalArn帶有ArnNotEquals條件運算子的條件鍵從拒絕陳述句中排除some-random-user,即
{
"Version": "2012-10-17",
"Id": "PolicyXXXXXXXXX",
"Statement": [
{
"Sid": "StmtXXXXXXXXXXXXXX",
"Effect": "Deny",
"Action": "s3:*",
"Principal": "*",
"Resource": "arn:aws:s3:::some-random-bucket",
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::XXXXXXXXXX:user/some-random-user"
}
}
},
{
"Sid": "StmtXXXXXXXXXXX",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXX:user/some-random-user"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::some-random-bucket"
}
]
}
轉載請註明出處,本文鏈接:https://www.uj5u.com/qiye/490247.html
