2

我有一个名为 Role1 的角色。该角色应用了以下策略。

我有一个具有 Role1 IAM 角色的 ec2 实例。

当我尝试 conn.get_bucket('fooo_udata') 我返回 403 错误。

有什么想法吗?

  {
"Statement": [
{
  "Effect": "Allow",
  "Action": ["s3:ListAllMyBuckets"],
  "Resource": "arn:aws:s3:::*"
},
{
  "Effect": "Allow",
  "Action": ["s3:ListBucket","s3:GetBucketLocation","s3:*"],
  "Resource": ["arn:aws:s3:::fooo_uadata/","arn:aws:s3:::fooo_uadata/*"]
},
{
  "Effect": "Allow",
  "Action": ["s3:PutObject","s3:GetObject","s3:DeleteObject"],
  "Resource":   ["arn:aws:s3:::fooo_uadata/","arn:aws:s3:::fooo_uadata/*"]
}
]
}
4

1 回答 1

3

我认为您不想在存储桶策略中包含“/”字符。所以,尝试改变:

{
  "Effect": "Allow",
  "Action": ["s3:ListBucket","s3:GetBucketLocation","s3:*"],
  "Resource": ["arn:aws:s3:::fooo_uadata/","arn:aws:s3:::fooo_uadata/*"]
},

对此:

{
  "Effect": "Allow",
  "Action": ["s3:ListBucket","s3:GetBucketLocation","s3:*"],
  "Resource": ["arn:aws:s3:::fooo_uadata","arn:aws:s3:::fooo_uadata*"]
},

由于您的存储桶的名称foo_uadata不是foo_uadata/.

于 2013-07-13T13:31:23.083 回答