1

我正在尝试通过 AWS 控制台重命名 S3 中的对象。

我有一个角色,我附加了两项政策。

“读取”权限

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetAccelerateConfiguration",
                "s3:GetAnalyticsConfiguration",
                "s3:GetBucketAcl",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketNotification",
                "s3:GetBucketPolicy",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketRequestPayment",
                "s3:GetBucketTagging",
                "s3:GetBucketVersioning",
                "s3:GetBucketWebsite",
                "s3:GetEncryptionConfiguration",
                "s3:GetInventoryConfiguration",
                "s3:GetLifecycleConfiguration",
                "s3:GetMetricsConfiguration",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectTagging",
                "s3:GetObjectTorrent",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectVersionForReplication",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectVersionTorrent",
                "s3:GetReplicationConfiguration",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListBucketVersions",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::bfe-dp-test3-pos-lz",
                "arn:aws:s3:::bfe-dp-test3-pos-lz/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:HeadBucket"
            ],
            "Resource": "*"
        }
    ]
}

和一组“写”权限

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:DeleteBucketWebsite",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetBucketLocation",
                "s3:GetBucketObjectLockConfiguration",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion",
                "s3:ListBucket",
                "s3:PutAccelerateConfiguration",
                "s3:PutAnalyticsConfiguration",
                "s3:PutBucketCORS",
                "s3:PutBucketLogging",
                "s3:PutBucketNotification",
                "s3:PutBucketRequestPayment",
                "s3:PutBucketVersioning",
                "s3:PutBucketWebsite",
                "s3:PutEncryptionConfiguration",
                "s3:PutInventoryConfiguration",
                "s3:PutLifecycleConfiguration",
                "s3:PutMetricsConfiguration",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectTagging",
                "s3:PutReplicationConfiguration",
                "s3:ReplicateDelete",
                "s3:ReplicateObject",
                "s3:RestoreObject"
            ],
            "Resource": [
                "arn:aws:s3:::bfe-dp-test3-pos-lz",
                "arn:aws:s3:::bfe-dp-test3-pos-lz/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:HeadBucket"
            ],
            "Resource": "*"
        }
    ]
}

然而,当我尝试通过 AWS 控制台重命名文件(对象)时,我收到一条没有详细信息的失败错误消息......

知道可能缺少哪些附加权限吗?

4

2 回答 2

1

在我上面的特殊情况下,我错过了对加密的访问!

不得不将此添加到我的“阅读”政策中

            {
                "Sid": "kmsAccess",
                "Effect": "Allow",
                "Action": [
                    "kms:List*",
                    "kms:*"
                ],
                "Resource": "*"
            },

谢谢你的帮助

于 2020-07-06T12:55:02.637 回答
1

我试图用我自己的存储桶复制这个问题,但我发现你的两个策略没有问题。

我的验证过程:

  1. 创建两个托管策略:一个read和一个write如您所述。
  2. 创建一个包含这两个策略的IAM 角色。信任策略是我的沙盒帐户arn:aws:iam::xxxx:root
  3. 使用控制台切换角色承担在步骤 2 中创建的角色。
  4. 在担任假定角色时,我尝试重命名存储桶中的对象,但没有发现任何问题。我还可以将对象上传到存储桶。

因此,在我看来,还有其他事情正在发生。也许您对角色中的其他策略有问题?还是存储桶有一些策略拒绝某些操作?如评论中所述,如果对象已加密,则角色需要额外的KMS权限。

于 2020-07-06T12:44:47.550 回答