【发布时间】:2021-01-27 07:52:16
【问题描述】:
我正在尝试允许组中的一组用户访问一个角色,他们可以通过该角色将对象上传到 s3 存储桶。
作为策略的组:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNTID:role/Clinic_Sync"
}
}
角色“Clinic_Sync”拥有政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SyncReqs",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::*/*"
},
{
"Sid": "SyncReqs2",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
}
]
}
桶有策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTID:role/Clinic_Sync"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::mydata"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTID:role/Clinic_Sync"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::mydata/*"
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mydata",
"arn:aws:s3:::mydata/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"ADMINUSERID:*",
"ACCOUNTNO"
]
}
}
}
]
}
这个想法是没有人可以访问存储桶,除非通过承担这个角色(除了管理员)。我创建的凭据文件如下:
[default]
aws_access_key_id = ACCESSID1
aws_secret_access_key = SECRETKEY1
[csync]
role_arn = arn:aws:iam::ACCOUNTID:role/Clinic_Sync
source_profile = default
还有配置文件:
[default]
output = json
region = eu-west-2
[profile csync]
role_arn = arn:aws:iam::ACCOUNTID:role/Clinic_Sync
source_profile = default
存储桶策略似乎有效,因为运行命令“aws s3 cp hello.txt s3://mydata”会出现错误:上传失败。调用 PutObject 操作时出错:拒绝访问。
但是当我尝试使用该角色时,使用命令“aws s3 cp hello.txt s3://run3d-data --profile csync”,它给出了这个错误:
upload failed: .\hello.txt to s3://mydata/hello.txt An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::ACCOUNTID:user/TestAcc2 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::ACCOUNTID:role/Clinic_Sync
我多年来一直在网上搜索答案,但找不到任何答案。坦率地说,aws 文档对我来说是难以理解的。如果有人可以帮助我找到解决方案,我将不胜感激,因为我在这里扯头发。
重申一下,我只是希望特定组中的用户能够访问一个角色,该角色授予他们使用 s3 存储桶的权限,但阻止对该存储桶的所有其他访问。
【问题讨论】:
-
您的
TestAcc2用户是该组的成员吗? -
是的,绝对是
标签: amazon-web-services amazon-s3 aws-cli