我想創建一個任何人都可以獲取物件但只有 iam 用戶可以上傳物件的 S3 存盤桶。
我的桶策略是這樣的。任何人都可以讀取物件,但不能執行洗掉、列出、創建操作。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "*"
}
]
}
我附加了以下策略,以獲得將物件上傳到用戶和組的權限。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1347416638923",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my_bucket/*" //fixed as @Marcin mentioned
}
]
}
問題是該用戶可以列出物件,從 javascript 中洗掉物件。我們怎樣才能讓這個用戶只上傳物件?
順便說一下,我們使用芥末存盤。
uj5u.com熱心網友回復:
arn:aws:s3:::my_bucket是一個桶,而不是物件。因此它應該是:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1347416638923",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my_bucket/*"
},
{
"Sid": "ExplityDeny",
"Effect": "Deny",
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::my_bucket/*"
},
{
"Sid": "ExplityDeny2",
"Effect": "Deny",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my_bucket"
}
]
}
轉載請註明出處,本文鏈接:https://www.uj5u.com/yidong/352759.html