我正在尝试使用S3存储桶策略提供对存储桶的通用访问,同时还允许使用角色策略对特定角色进行访问。该角色由Lambda函数用于处理存储桶中的对象。但是,它在第一个障碍处停止了——即使在角色策略中允许,在存储桶策略中也没有明确拒绝"incoming/"前缀的GET操作。
角色策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowBucketPut",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::bucket-name/*"
},
{
"Sid": "AllowIncomingGetDelete",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::bucket-name",
"Condition": {
"StringLike": {
"s3:prefix": "incoming/*"
}
}
}
]
}
注意:我也试过删除条件并将资源更改为“arn:aws:s3:::bucket-name/incoming*”,这似乎只是改变了策略模拟器的行为。另一个注意点:在带有“incoming / *”前缀的存储桶中使用GET确实可以在模拟器中工作,但在实践中却不行。
由于我不确定哪些声明可能相关,因此我没有删除下面存储桶策略中的任何声明。已省略IP地址。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPublicList",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket-name",
"Condition": {
"StringLike": {
"s3:prefix": "public*"
}
}
},
{
"Sid": "AllowPublicGet",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/public*"
},
{
"Sid": "AllowPrivateList",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket-name",
"Condition": {
"StringLike": {
"s3:prefix": "private*"
},
"IpAddress": {
"aws:SourceIp": [
"..."
]
}
}
},
{
"Sid": "AllowPrivateGet",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/private*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"..."
]
}
}
},
{
"Sid": "AllowIncomingPut",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/incoming*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"..."
]
}
}
}
]
}
对于篇幅过长的文本,我感到抱歉。
我不明白为什么我的角色无法获取以"incoming/"为前缀的对象。
当执行以下操作时,Lambda函数会收到403访问被拒绝的错误:
S3.download_file(bucket, key, localfile)