有一个官方的 AWS 文档,位于编写 IAM 策略:如何授予对 Amazon S3 存储桶的访问权限
只需复制并粘贴适当的规则,并在所有语句中将 "Resource" 键更改为您的存储桶 ARN。
对于编程访问,策略应为:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::bar"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::bar/*"]
}
]
}
对于控制台访问,应该是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::bar*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::bar"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::bar/*"]
}
]
}
bar/*
才能访问bar
存储桶中的对象,而需要使用bar
列出/修改存储桶本身。 - treat your mods well