24

我需要发布预签名 URL,以允许用户将文件 GET 和 PUT 到特定的 S3 存储桶中。我创建了一个 IAM 用户并使用其密钥创建预签名 URL,并添加了嵌入该用户的自定义策略(见下文)。当我使用生成的 URL 时,我的AccessDenied策略出现错误。如果我将FullS3Access策略添加到 IAM 用户,则文件可以是具有相同 URL 的 GET 或 PUT,因此显然缺少我的自定义策略。它有什么问题?

这是我正在使用但不起作用的自定义策略:

{
    "Statement": [
        {
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::MyBucket"
            ]
        },
        {
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:DeleteBucketPolicy",
                "s3:DeleteObject",
                "s3:GetBucketPolicy",
                "s3:GetLifecycleConfiguration",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListMultipartUploadParts",
                "s3:PutBucketPolicy",
                "s3:PutLifecycleConfiguration",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::MyBucket/*"
            ]
        }
    ]
}
4

5 回答 5

9

这是适用于我的预签名 S3 URL 的 IAM 策略。

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObject"
        ],
        "Resource": "arn:aws:s3:::mydocs/*"
      }
    ]
}

我想知道你的问题是否出在这Resource部分。您对存储桶的 GET 请求是否MyBucket总是如此?

于 2020-08-22T23:00:21.810 回答
6

我还在开发一个使用预签名 GET 和放置 URL 的功能,特别是通过与 AWS Lambda 函数关联的角色。不过,我发现了一些变化,因为我还需要允许使用加密存储桶的 KMS 密钥。

我遇到了这篇人迹罕至的文章,它为我指明了正确的方向。不需要为 URL 预签名允许存储桶级别的权限,只需要少数对象级别的权限。

简而言之,我支持预签名 URL 的 lambda 角色策略如下所示。请注意,cloudwatch 日志权限与签名无关,但通常对 lambda 函数很重要:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:*:*:*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "<my-bucket-arn-expression>/*",
      "Effect": "Allow"
    },
    {
      "Sid": "KMSAccess",
      "Action": [
        "kms:Decrypt",
        "kms:DescribeKey",
        "kms:Encrypt",
        "kms:GenerateDataKey*",
        "kms:ReEncrypt*"
      ],
      "Effect": "Allow",
      "Resource": "<my-key-arn>"
    }
  ]
}

如果您使用内置的 AES 加密(或不加密),您的策略可以简化为:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:*:*:*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "<my-bucket-arn-expression>/*",
      "Effect": "Allow"
    }
  ]
}
于 2020-06-01T14:53:27.057 回答
3

存储桶权限与对象权限

您的策略中的以下权限应位于存储桶级别 ( arn:aws:s3:::MyBucket),而不是存储桶内的子路径 (例如arn:aws:s3:::MyBucket/*):

  • s3:创建桶
  • s3:删除桶
  • s3:DeleteBucketPolicy
  • s3:GetBucketPolicy
  • s3:GetLifecycleConfiguration
  • s3:ListBucket
  • s3:ListBucketMultipartUploads
  • s3:PutBucketPolicy
  • s3:PutLifecycleConfiguration

请参阅:在策略中指定权限

但是,这不是您无法 PUT 或 GET 文件的原因。

得到

您已分配GetObject权限这一事实意味着您应该能够从 S3 存储桶获取对象。我通过将您的策略​​分配给用户来测试这一点,然后使用该用户的凭据访问对象并且它正常工作。

我还使用您的政策通过网络表单上传,它工作正常。

这是我用来上传的表格:

<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <title>S3 POST Form</title> 

  <style type="text/css"></style></head>

  <body> 
    <form action="https://<BUCKET-NAME>.s3.amazonaws.com/" method="post" enctype="multipart/form-data">
      <input type="hidden" name="key" value="uploads/${filename}">
      <input type="hidden" name="AWSAccessKeyId" value="<ACCESS-KEY>">
      <input type="hidden" name="acl" value="private"> 
      <input type="hidden" name="success_action_redirect" value="http://<BUCKET-NAME>.s3.amazonaws.com/ok.html">
      <input type="hidden" name="policy" value="<ENCODED-POLICY>">
      <input type="hidden" name="signature" value="<SIGNATURE>">
      <input type="hidden" name="Content-Type" value="image/jpeg">
      <!-- Include any additional input fields here -->

      File to upload to S3: 
      <input name="file" type="file"> 
      <br> 
      <input type="submit" value="Upload File to S3"> 
    </form>

这是我生成签名的方式:

#!/usr/bin/python
import base64
import hmac, hashlib

policy_document = '{"expiration": "2018-01-01T00:00:00Z", "conditions": [ {"bucket": "<BUCKET-NAME>"}, ["starts-with", "$key", "uploads/"], {"acl": "private"}, {"success_action_redirect": "http://BUCKET-NAME.s3.amazonaws.com/ok.html"}, ["starts-with", "$Content-Type", ""], ["content-length-range", 0, 1048000] ] }'

AWS_SECRET_ACCESS_KEY = "<SECRET-KEY>"

policy = base64.b64encode(policy_document)

signature = base64.b64encode(hmac.new(AWS_SECRET_ACCESS_KEY, policy, hashlib.sha1).digest())

print policy
print
print signature
于 2016-09-26T02:39:05.207 回答
0

对我有用的是:

{
    "Action": [
       "s3:PutObject"
    ],
    "Resource": [
       "arn:aws:s3:::<your-bucket-name>"
    ],
    "Effect": "Allow"
}

注意:我在这里没有提到其他策略,例如:CloudWatch 日志或 XRay 的权限。

于 2021-12-08T12:15:26.143 回答
-1

在弄乱 IAM 权限大约一周后,这行得通。我的目标是创建一个 presigned_url 来读取 S3 图像(最长 7 天后才过期)。

需要 KMS 和 S3。

可能不需要 STS,但我也弄乱了“assume_role”功能。

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "kms:Decrypt",
            "kms:Encrypt",
            "kms:DescribeKey",
            "kms:ReEncrypt*",
            "kms:GenerateDataKey*"
        ],
        "Resource": [
            "arn:aws:kms:*:<account-number>:key/*",
            "arn:aws:s3:::<bucket-name>/*"
        ]
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": [
            "sts:GetSessionToken",
            "sts:DecodeAuthorizationMessage",
            "sts:GetAccessKeyInfo",
            "sts:GetCallerIdentity",
            "sts:GetServiceBearerToken"
        ],
        "Resource": "*"
    },
    {
        "Sid": "VisualEditor2",
        "Effect": "Allow",
        "Action": "sts:*",
        "Resource": [
            "arn:aws:iam::<account-number>:<role-arn>",
            "arn:aws:iam::<account-number>:user/<aws-user-name>"
        ]
    }
]

}

这是使用此用户凭据的函数

from botocore.config import Config
my_config = Config(
    region_name = 'us-east-2',
    signature_version = 's3v4',
    s3={'addressing_style': 'path'},
)

client = boto3.client('s3', config=my_config,
aws_access_key_id = AWS_ACCESS_KEY_ID,
aws_secret_access_key = AWS_SECRET_ACCESS_KEY
)
presigned_url = client.generate_presigned_url(
    'get_object',
    Params={'Bucket': bucket_name, 'Key': key_name},
    ExpiresIn=604800,
    HttpMethod=None
)
于 2020-10-01T22:23:49.037 回答