1. 首页
  2. 问答
  3. 跨账户中的亚马逊S3文件'拒绝访问'异常

跨账户中的亚马逊S3文件'拒绝访问'异常

2015-10-20 97 views
2

我有2个AWS账户。帐户A具有S3存储桶'BUCKET',其中我使用Java API放置文件。我已将“BUCKET”政策配置为允许跨帐户文件发布。 但是,当我尝试从帐户A打开此文件时,它说AccessDenied访问被hostId和requestId拒绝。跨账户中的亚马逊S3文件'拒绝访问'异常

此文件通过帐户B使用java api发布,并且此文件具有与通过api发布的文件相同的大小。我试图更改文件大小,新的大小显示在AWS S3控制台上。 这里是我的斗政策:

{ 
"Version": "2008-10-17", 
"Id": "Policy1357935677554", 
"Statement": [ 
    { 
     "Sid": "Stmt1357935647218", 
     "Effect": "Allow", 
     "Principal": { 
      "AWS": "arn:aws:iam::ACCOUNTB:user/accountb-user" 
     }, 
     "Action": "s3:ListBucket", 
     "Resource": "arn:aws:s3:::bucket-name" 
    }, 
    { 
     "Sid": "Stmt1357935676138", 
     "Effect": "Allow", 
     "Principal": { 
      "AWS": "arn:aws:iam::ACCOUNTB:user/accountb-user" 
     }, 
     "Action": "s3:PutObject", 
     "Resource": "arn:aws:s3:::bucket-name/*" 
    }, 
    { 
     "Sid": "Stmt1357935676138", 
     "Effect": "Allow", 
     "Principal": { 
      "AWS": "arn:aws:iam::ACCOUNTB:user/accountb-user" 
     }, 
     "Action": "s3:*", 
     "Resource": "arn:aws:s3:::bucket-name/*" 
    }, 
    { 
     "Sid": "Stmt1357935647218", 
     "Effect": "Allow", 
     "Principal": { 
      "AWS": "arn:aws:iam::ACCOUNTA:user/accounta-user" 
     }, 
     "Action": "s3:ListBucket", 
     "Resource": "arn:aws:s3:::bucket-name" 
    }, 
    { 
     "Sid": "Stmt1357935676138", 
     "Effect": "Allow", 
     "Principal": { 
      "AWS": "arn:aws:iam::ACCOUNTA:user/accounta-user" 
     }, 
     "Action": "s3:*", 
     "Resource": "arn:aws:s3:::bucket-name/*" 
    }, 
    { 
     "Sid": "Stmt1357935676138", 
     "Effect": "Allow", 
     "Principal": { 
      "AWS": "arn:aws:iam::ACCOUNTA:root" 
     }, 
     "Action": "s3:*", 
     "Resource": "arn:aws:s3:::bucket-name/*" 
    } 
]

}

问题是,当我尝试下载/打开从帐户A这个文件,我无法将其打开。

来源

2015-10-20 user954134

+0

您是否设法解决了问题?我也有这个问题。 – rastacide

+0

是的,你需要使用's3Client.putObject(new PutObjectRequest(bucket,key,inputFile).withAccessControlList(acl))' – user954134

回答

1

问题是,默认情况下,当AWS(cli或SDK)上传文件时,只会通过s3 ACL授予对上传器的访问权限。

在这种情况下,为了允许所有者读取上传的文件,上传者必须在上传过程中明确授予对存储桶所有者的访问权限。例如:

  • aws CLI(文档here):aws s3api put-object --bucket <bucketname> --key <filename> --acl bucket-owner-full-control
  • nodejs API(文档here):你必须在AWS.S3.upload方法的params.ACL属性设置为"bucket-owner-full-control"

在并行,您还可以确保存储桶拥有者完全控制存储桶策略(其他文档here):

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Grant Owner Full control dev", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ACCOUNTB:root" }, "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::bucket-name/*" ], "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] }

来源

2017-09-06 13:24:29 herve

+0

仍然有些奇怪,如果你不这样做,那么存储桶拥有者有权删除这些文件。 – herve

相关问题

 相关问题