0

我正在使用 go sdk 创建一个新角色并承担它。两者都是由同一个 IAM 用户完成的。角色信任关系如下:

{
    "Statement": [{
        "Effect": "Allow",
        "Principal": { "AWS": "<an admin user>" },
        "Action": [ "sts:AssumeRole" ]
    }]
}

稍后尝试将对象添加到存储桶时,我可以创建会话令牌,但 PutObject 操作因 AccessDenied 而失败。桶策略是:

{
      "Effect": "Allow",
      "Action":"s3:*",
      "Resource": [
        "arn:aws:s3:::<name of the bucket>/*"
      ],
      "Condition": {}
}
4

1 回答 1

0

如果您代入的角色未通过角色策略授予对 S3 存储桶的访问权限,则您需要将该角色作为委托人添加到存储桶策略中。

这里有一个方便的工具;https://awspolicygen.s3.amazonaws.com/policygen.html有助于生成存储桶策略。但它最终应该看起来像:

{
      "Effect": "Allow",
      "Action":"s3:*",
      "Principal": {
          "AWS": ["arn:aws:iam::<accountid>:role/<name of assumed role>"]
      },
      "Resource": [
        "arn:aws:s3:::<name of the bucket>/*"
      ],
      "Condition": {}
}
于 2019-10-29T20:31:20.347 回答