amazon-web-services - AWS S3: An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
问题描述
I have an AWS account with read/write permissions as shown below:
I'd like to make it so that an IAM user can download files from an S3 bucket but I'm getting access denied when executing aws s3 sync s3://<bucket_name> .
I have tried various things, but not to avail. Some steps that I did:
- Created a user called s3-full-access
- Executed
aws configure
in my CLI and entered the generated access key id and secret access key for the above user - Created a bucket policy (shown below) that I'd hoped grants access for my user created in first step.
My bucket has a folder name AffectivaLogs in which files were being added anonymously by various users, and it seems like though the bucket is public, the folder inside it is not and I am not even able to make it public, and it leads to following error.
Following are the public access settings:
Update: I updated the bucket policy as follows, but it doesn't work.
解决方案
为了测试这种情况,我做了以下事情:
- 创建了一个没有附加策略的IAM 用户
- 创建了一个Amazon S3 存储桶
- 关闭 S3 阻止公共访问设置:
- 阻止新的公共存储桶策略
- 如果存储桶有公共策略,则阻止公共和跨账户访问
- 添加了一个存储桶策略,授予IAM 用户
s3:*
访问存储桶内容的权限
然后我跑了aws s3 sync
,得到了Access Denied
。
然后我修改了策略以允许访问存储桶本身:
{
"Id": "Policy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket/*",
"arn:aws:s3:::my-bucket"
],
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/stack-user"
]
}
}
]
}
这行得通。
底线:除了存储桶的内容之外,还添加访问存储桶的权限。(我怀疑这是因为除了访问对象本身之外,还需要列出存储桶内容。)aws s3 sync
推荐阅读
- angular - 如何在 Angular 4 中创建 vendor.bundle.js 之前对其进行转换
- c - Linux fread() 上的预读效果
- json - WCF REST JSON 请求:格式化程序异常
- c# - 使用持久 ID 的 C# 将 XML 数据加载到现有数据库中
- javascript - Javascript映射两个对象数组
- mysql - MySQL 服务器已消失 + 读取结果集标头时出错
- leaflet - 传单控件上不显示 img
- azure - Azure 应用程序网关:502 / SNI/SSL 问题?使用应用服务进行配置
- excel - 我可以将 VBA 中的计算值添加到单元格的悬停鼠标悬停中吗?
- mongodb - 我在 mongoDB 中有如下记录。需要查询以使用 startTime 获取前一天的结果