我遵循了http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html#iam-policy-example-s3上的示例,以了解如何向用户授予仅一个存储桶的访问权限。
然后,我使用W3 Total Cache Wordpress插件测试了配置。测试失败。
我也尝试过使用
aws s3 cp --acl=public-read --cache-control='max-age=604800, public' ./test.txt s3://my-bucket/
失败了
upload failed: ./test.txt to s3://my-bucket/test.txt A client error (AccessDenied) occurred when calling the PutObject operation: Access Denied
为什么我不能上传到我的存储桶?
Answers:
要回答我自己的问题:
该示例策略授予了PutObject访问权限,但是我还不得不授予了PutObjectAcl访问权限。
我不得不改变
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
从示例到:
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
您还需要通过取消选中以下两个框,确保为客户端配置了存储桶以设置可公开访问的ACL:
我有一个类似的问题。我没有使用ACL的东西,所以我不需要s3:PutObjectAcl。
就我而言,我正在做(在无服务器框架 YML中):
- Effect: Allow
Action:
- s3:PutObject
Resource: "arn:aws:s3:::MyBucketName"
代替:
- Effect: Allow
Action:
- s3:PutObject
Resource: "arn:aws:s3:::MyBucketName/*"
它将A添加/*到存储桶ARN的末尾。
希望这可以帮助。
我只是把头撞在墙上,只是想让S3上传来处理大文件。最初我的错误是:
An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied
然后我尝试复制一个较小的文件并得到:
An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
我可以列出对象很好,但是即使我s3:*在“角色”策略中具有权限,我也无能为力。我最终为此修改了政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "*"
}
]
}
现在,我可以上传任何文件了。my-bucket用您的存储桶名称替换。我希望这会对其他人有所帮助。
"Resource": "*"。
上传到受KWS加密保护的S3存储桶时,我遇到了类似的问题。我有一个最小的策略,允许在特定的s3键下添加对象。
我需要在策略中添加以下KMS权限,以允许该角色将对象放入存储桶中。(可能比严格要求的略多)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:ListKeys",
"kms:GenerateRandom",
"kms:ListAliases",
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:HeadBucket"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"kms:ImportKeyMaterial",
"kms:ListKeyPolicies",
"kms:ListRetirableGrants",
"kms:GetKeyPolicy",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:ListResourceTags",
"kms:ReEncryptFrom",
"kms:ListGrants",
"kms:GetParametersForImport",
"kms:TagResource",
"kms:Encrypt",
"kms:GetKeyRotationStatus",
"kms:GenerateDataKey",
"kms:ReEncryptTo",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:<MY-REGION>:<MY-ACCOUNT>:key/<MY-KEY-GUID>"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
<The S3 actions>
],
"Resource": [
"arn:aws:s3:::<MY-BUCKET-NAME>",
"arn:aws:s3:::<MY-BUCKET-NAME>/<MY-BUCKET-KEY>/*"
]
}
]
}
aws/s3密钥复制到了附加到角色的IAM策略(不在KMS策略中),并且效果很好。我需要对KMS ARNS的唯一行动是:kms:Encrypt,kms:Decrypt,kms:ReEncrypt*,kms:GenerateDataKey*,kms:DescribeKey。然后只有标准的S3权限。
我对相同的错误消息也犯了一个错误:请确保您使用正确的s3 uri,例如: s3://my-bucket-name/
(如果my-bucket-name显然位于您的aws s3的根目录中)
我坚持认为,因为从浏览器复制粘贴s3存储桶时,您会得到类似 https://s3.console.aws.amazon.com/s3/buckets/my-bucket-name/?region=my-aws-regiontab=overview
因此,我犯了使用错误,s3://buckets/my-bucket-name这引起了:
An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
与上面的一篇帖子类似,(除了我当时使用管理员凭据),使S3上传可以处理50M的大文件。
最初我的错误是:
An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied
我将multipart_threshold切换为50M以上
aws configure set default.s3.multipart_threshold 64MB
我得到:
An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
我检查了存储桶的公共访问设置,所有设置都被允许。因此,我发现可以在帐户级别上阻止所有S3存储桶的公共访问:
如果您已为存储桶设置了公共访问权限,但仍无法使用,请编辑bucker策略并粘贴以下内容:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::yourbucketnamehere",
"arn:aws:s3:::yourbucketnamehere/*"
],
"Effect": "Allow",
"Principal": "*"
}
]
}