3

我按照这里的描述安装 s3fs http://code.google.com/p/s3fs/wiki/InstallationNotes

然后在我创建用户 bucket_user

然后把他的 accessKeyId:secretAccessKey 在 /etc/passwd-s3fs

他们是 S3 我创建了一个存储桶 super_bucket

并制定其政策:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AddCanned",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::234234234234:user/bucket_user"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::super_bucket/*"
        }
    ]
}

然后在我的服务器上 /usr/bin/s3fs super_bucket /mnt/s3/

并收到答案:

s3fs: CURLE_HTTP_RETURNED_ERROR

s3fs: HTTP Error Code: 403

s3fs: AWS Error Code: AccessDenied

s3fs: AWS Message: Access Denied

正在使用的 s3fs 版本(s3fs --version):1.61

使用的保险丝版本(pkg-config --modversion fuse):2.8.4

系统信息(uname -a):Linux Ubuntu-1110-oneiric-64-minimal 3.0.0-14-server #23-Ubuntu SMP Mon Nov 21 20:49:05 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

发行版(cat /etc/issue):Ubuntu 11.10 \n \l

s3fs 系统日志消息(grep s3fs /var/log/syslog):空

所以我从头开始

在服务器上

纳米〜/ .passwd-s3fs

cmd+v accessKeyId:secretAccessKey

chmod 600 ~/.passwd-s3fs

在存储桶策略中

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::super_bucket/*",
                "arn:aws:s3:::super_bucket"
            ]
        }
    ]
}

“节省”

/usr/bin/s3fs super_bucket /mnt/s3/

并再次收到

s3fs:AWS 消息:拒绝访问

4

3 回答 3

5

没有人说我需要在 AWS IAM 中设置用户策略

于 2012-02-15T22:07:47.660 回答
1

更新

分析

显然s3fs在 IAM 支持方面存在问题,包括您正在使用的最新稳定版本 1.61,请查看IAM 用户权限问题以了解详细信息,特别是评论 4

显然,在尝试挂载之前需要调用 [ ListAllMyBuckets() ] 来确定请求的存储桶是否存在。

现在,ListAllMyBuckets()对服务的操作,而不是bucketobject,它们是您的Resource语句当前针对的唯一实体,因此您当前的策略实际上拒绝使用ListAllMyBuckets() 。

解决方案

正如评论 4中所述,您必须添加一个额外的策略片段来相应地满足您的s3fs版本的此要求:

"Statement": [
    {
        "Effect": "Allow",
        "Action": "s3:ListAllMyBuckets",
        "Resource": "arn:aws:s3:::*"
    }
]

或者,您可以在应用注释 9中提供的补丁后从源代码构建 s3fs 版本 1.61 ,这应该解决了这个问题(虽然我自己没有测试过补丁)。显然,更高版本也可能包含对此的修复,请参阅评论 11 ff

祝你好运!

鉴于预期的功能(即,将存储桶安装为本地文件系统读/写),s3fs可能也需要访问存储桶本身,而不仅仅是其中包含的对象,这些对象是单独处理的 - 尝试Resource用以下内容替换您的语句:

"Resource": [
    "arn:aws:s3:::super_bucket",
    "arn:aws:s3:::super_bucket/*",
]

第一个资源以桶为目标,而后者以其中包含的对象为目标。

于 2012-01-30T15:05:52.820 回答
0

我可以通过指定ListBucket存储桶本身的Put/Get/DeleteObject权限和存储桶内容的权限来完成这项工作。我通过这个 repo中的 shell 脚本来遵循这个 CloudAcademy 指南,它试图很好地打包它。这是工作政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::super_bucket"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::super_bucket/*"
            ]
        }
    ]
}

在以这种方式定义它之前,我只对存储桶而不是它的内容拥有一堆权限,虽然我能够登录到我的 FTP 实例,但当我尝试时put test.txt,我收到了一条553 Could not create file.消息。

put在失败的尝试期间,我在日志中看到了这一点。这是此调试命令的调试输出:

sudo /usr/local/bin/s3fs super_bucket \
-o use_cache=/tmp,iam_role="super_ftp_user",allow_other /home/super_ftp_user/ftp/files \
-o dbglevel=info -f \
-o curldbg \
-o url="https://s3-us-east-1.amazonaws.com" \
-o nonempty

输出:

[CURL DBG] * Connection #8 to host super_bucket.s3-us-east-1.amazonaws.com left intact
[INF]       curl.cpp:RequestPerform(2267): HTTP response code 200
[INF]     s3fs.cpp:create_file_object(918): [path=/test.txt][mode=100644]
[INF]       curl.cpp:PutRequest(3127): [tpath=/test.txt]
[INF]       curl.cpp:PutRequest(3145): create zero byte file object.
[INF]       curl_util.cpp:prepare_url(250): URL is https://s3-us-east-1.amazonaws.com/super_bucket/test.txt
[INF]       curl_util.cpp:prepare_url(283): URL changed is https://super_bucket.s3-us-east-1.amazonaws.com/test.txt
[INF]       curl.cpp:PutRequest(3225): uploading... [path=/test.txt][fd=-1][size=0]
[INF]       curl.cpp:insertV4Headers(2598): computing signature [PUT] [/test.txt] [] []
[INF]       curl_util.cpp:url_to_host(327): url is https://s3-us-east-1.amazonaws.com
[CURL DBG] * Found bundle for host super_bucket.s3-us-east-1.amazonaws.com: 0x7fa0d00d3c60 [can pipeline]
[CURL DBG] * Re-using existing connection! (#8) with host super_bucket.s3-us-east-1.amazonaws.com
[CURL DBG] * Connected to super_bucket.s3-us-east-1.amazonaws.com (123.456.789.012) port 443 (#8)
[CURL DBG] > PUT /test.txt HTTP/1.1
[CURL DBG] > Host: super_bucket.s3-us-east-1.amazonaws.com
[CURL DBG] > User-Agent: s3fs/1.88 (commit hash ***; OpenSSL)
[CURL DBG] > Accept: */*
[CURL DBG] > Authorization: xxxxxxx
[CURL DBG] > Content-Type: application/octet-stream
...
[CURL DBG] > Content-Length: 0
[CURL DBG] >
[CURL DBG] < HTTP/1.1 403 Forbidden
[CURL DBG] < x-amz-request-id: 1234567890
[CURL DBG] < x-amz-id-2: ******
[CURL DBG] < Content-Type: application/xml
[CURL DBG] < Transfer-Encoding: chunked
[CURL DBG] < Date: Tue, 19 Jan 2021 04:30:15 GMT
[CURL DBG] < Server: AmazonS3
[CURL DBG] * HTTP error before end of send, keep sending
[CURL DBG] <
[CURL DBG] * Connection #8 to host super_bucket.s3-us-east-1.amazonaws.com left intact
[ERR] curl.cpp:RequestPerform(2287): HTTP response code 403, returning EPERM. Body Text: <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>1234567890</RequestId><HostId>***</HostId></Error>
[INF]       cache.cpp:DelStat(578): delete stat cache entry[path=/test.txt]
于 2021-01-19T05:36:22.713 回答