时间戳

首页 > 解决方案 > Amazon S3 递归复制失败

amazon-web-services - Amazon S3 递归复制失败

问题描述

我正在尝试从我的 S3 存储桶中获取文件夹,但不知何故无法弄清楚它失败的原因。

我打电话

aws s3 cp s3://somebucket . --recursive

并得到

致命错误:调用 ListObjects 操作时发生错误 (AccessDenied):访问被拒绝

如果我尝试用同一个用户模拟这些操作

aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123324234234:user/user1 --action-names iam:ListBucket iam:GetObject iam:PutObject --resource-arns arn:aws:s3:::somebucket

Allowed无处不在

 {
     "EvaluationResults": [
         {
             "EvalActionName": "iam:ListBucket",
             "EvalResourceName": "arn:aws:s3:::somebucket",
             "EvalDecision": "allowed",
             "MatchedStatements": [
                 {
                     "SourcePolicyId": "AdministratorAccess",
                     "StartPosition": {
                         "Line": 3,
                         "Column": 17
                     },
                     "EndPosition": {
                         "Line": 8,
                         "Column": 6
                     }
                 }
             ],
             "MissingContextValues": []
         },
         {
             "EvalActionName": "iam:GetObject",
             "EvalResourceName": "arn:aws:s3:::somebucket",
             "EvalDecision": "allowed",
             "MatchedStatements": [
                 {
                     "SourcePolicyId": "AdministratorAccess",
                     "StartPosition": {
                         "Line": 3,
                         "Column": 17
                     },
                     "EndPosition": {
                         "Line": 8,
                         "Column": 6
                     }
                 }
             ],
             "MissingContextValues": []
         },
         {
             "EvalActionName": "iam:PutObject",
             "EvalResourceName": "arn:aws:s3:::somebucket",
             "EvalDecision": "allowed",
             "MatchedStatements": [
                 {
                     "SourcePolicyId": "AdministratorAccess",
                     "StartPosition": {
                         "Line": 3,
                         "Column": 17
                     },
                     "EndPosition": {
                         "Line": 8,
                         "Column": 6
                     }
                 }
             ],
             "MissingContextValues": []
         }
     ]
 }

我错过了什么?

这是我的政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::somebucket",
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::somebucket",
                "arn:aws:s3:::somebucket/*",
            ]
        }
    ]
}

标签: amazon-web-servicesamazon-s3permissionsamazon-iamaws-cli

解决方案

解决了。我aws-cli的用户设置不正确,并试图用它列出存储桶。由于 S3 存储桶名称是全局的,因此不会引发任何错误。在我指定正确的配置文件后,一切都很好。

顺便说一句,在这种情况下,只需在存储桶 ACL 权限中添加另一个用户,就是这样!

在此处输入图像描述

对于那个现在应该是它的规范用户 ID,可以像这样找到

aws s3api list-buckets

这个 AWS 线程帮助了我。

推荐阅读