14

正如问题所问的那样,锁定的 s3 IAM 用户成功使用 django-storages 所需的最低权限是多少?目前我用过类似的东西

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListAllMyBuckets"],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket",
                 "s3:GetBucketLocation",
                 "s3:ListBucketMultipartUploads",
                 "s3:ListBucketVersions"],
      "Resource": "arn:aws:s3:::bucket-name"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:*Object*",
                 "s3:ListMultipartUploadParts",
                 "s3:AbortMultipartUpload"],
      "Resource": "arn:aws:s3:::bucket-name/*"
    }
  ]
}

这实际上可能是矫枉过正。还有什么想法吗?

4

5 回答 5

10

Fiver's answer is not enough to run collectstatic in django-storages. I used everything @jvc26 did except for s3:ListAllMyBuckets. I would assume s3:ListBucketVersions is not needed either.

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket",
                 "s3:GetBucketLocation",
                 "s3:ListBucketMultipartUploads",
                 "s3:ListBucketVersions"],
      "Resource": "arn:aws:s3:::bucket-name"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:*Object*",
                 "s3:ListMultipartUploadParts",
                 "s3:AbortMultipartUpload"],
      "Resource": "arn:aws:s3:::bucket-name/*"
    }
  ]
}
于 2013-11-01T04:19:36.127 回答
3

我不是 100% 确定 django-storages,因为我使用基于 django -storages的 S3 部分的 cuddly-buddly。我只是发现 cuddlybuddly 使用起来更简单,效果更好,而且这个名字很棒!

无论如何,我有一个使用 Django+S3 的项目,并发现以下 AWS 策略是我的项目所需的最低要求:

{
  "Version": "2008-10-17",
  "Id": "Policy123",
  "Statement": [
    {
      "Sid": "Stmt123",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::some-aws-user"
      },
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::bucket-name"
    },
    {
      "Sid": "Stmt234",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::some-aws-user"
      },
      "Action": [
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::bucket-name/*"
    }
  ]
}

我有需要上传、检索和删除的 Django 视图,因此可以根据您的需要使用/省略这些相应的操作。显然,任何人都需要更改用户和存储桶名称。

此外,为了完整起见,因为这对我来说并不明显,请注意以下有关AWS 策略的限制:

  • 策略的最大大小为 20 KB

  • Resource 的值必须以存储桶名称或存储桶名称及其下的路径 (bucket/ ) 为前缀。如果只指定了存储桶名称,没有尾部 /,则该策略适用于存储桶。

  • 每个策略必须具有唯一的策略 ID (Id)

  • 策略中的每个语句都必须具有唯一的语句 ID (sid)

  • 每个策略必须仅涵盖单个存储桶和该存储桶中的资源(在编写策略时,不要包含引用其他存储桶或其他存储桶中的资源的语句)

最后,对于任何想要这样做的人,不要更改Version键中的日期值,亚马逊使用此值来解析策略格式。

希望这可以帮助!

于 2013-08-07T01:28:45.587 回答
1

在此处参考官方 Django Storages 官方文档:https ://django-storages.readthedocs.io/en/latest/backends/amazon-S3.html#iam-policy

您只需将该权限复制并粘贴到您的 IAM 策略中即可。

于 2020-06-28T03:31:47.107 回答
0

这对我行得通:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:ListBucketMultipartUploads",
                "s3:ListBucketVersions"
            ],
            "Resource": "arn:aws:s3:::bucket_name_here"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*Object*",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload"
            ],
            "Resource": "arn:aws:s3:::bucket_name_here/*"
        }
    ]
}
于 2015-01-25T14:32:35.203 回答
0

我认为无论您使用 IAM 还是其他类型的权限,都应该授予全球读取访问权限。所以我成功地使用了这个配置:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::buuuuu",
                "arn:aws:s3:::buuuuu/*"
            ]
        }
    ]
}
于 2021-05-31T18:45:02.300 回答