amazon-web-services - aws s3 可以通过 cli 和控制台上传,但不能通过 nodejs sdk 上传
问题描述
存储桶配置为禁用公共访问,但具有以下存储桶策略:
{
"Version": "2012-10-17",
"Id": "Policy1571348371588",
"Statement": [
{
"Sid": "Stmt1571348370292",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::932534461852:user/test-user"
]
},
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::test.test.com",
"arn:aws:s3:::test.test.com/*"
]
}
]
}
IAM 也附有此政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::*/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::test.test.com"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:PutAccountPublicAccessBlock",
"s3:ListAllMyBuckets"
],
"Resource": "*"
}
]
}
存储桶的公共访问设置为:
Block all public access
On
Block public access to buckets and objects granted through new access control lists (ACLs)
On
Block public access to buckets and objects granted through any access control lists (ACLs)
On
Block public access to buckets and objects granted through new public bucket policies
On
Block public and cross-account access to buckets and objects through any public bucket policies
On
我已经验证 cli 和 sdk 使用相同的访问密钥和密钥,并且我可以使用控制台和 cli 毫无问题地上传文件,但是当我尝试使用 node.js 时aws-sdk: 2.551.0,出现访问被拒绝错误。
哪里会出错?
解决方案
问题可能是您的 Node.js 客户端使用了错误的凭证、定位了错误的存储桶或调用了 IAM 策略中不允许的操作。您没有提供任何代码,因此我们无法验证后者。
此外,如果 IAM 用户的策略允许必要的 S3 操作/资源,则您不需要在 S3 存储桶策略中允许 IAM 用户,因此您可以删除存储桶策略。