권한이 s3 인 경우 S3 버킷 용 ListObjects에 대한 AccessDenied : *
나는 얻고있다
ListObjects 작업을 호출 할 때 오류 (AccessDenied)가 발생했습니다. 액세스가 거부되었습니다.
내 S3 버킷에서 폴더를 가져 오려고 할 때.
이 명령 사용
aws s3 cp s3://bucket-name/data/all-data/ . --recursive
버킷에 대한 IAM 권한은 다음과 같습니다.
{
"Version": "version_id",
"Statement": [
{
"Sid": "some_id",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bucketname/*"
]
}
] }
나는 할 수 있도록 변화해야 할 사항은 무엇 copy과 ls성공적으로?
S3 버킷 내부의 객체에 대해 명령을 수행 할 수있는 권한을 부여했지만 버킷 자체에서 작업을 수행 할 수있는 권한을 부여하지 않았습니다. 정책을 다음과 같이 수정하십시오.
정책을 약간 수정하면 다음과 같습니다.
{
"Version": "version_id",
"Statement": [
{
"Sid": "some_id",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bucketname",
"arn:aws:s3:::bucketname/*"
]
}
]
}
그러나 그것은 아마도 필요한 것보다 mroe 권한을 부여합니다. 최소 권한 부여에 대한 AWS IAM 모범 사례를 따르면 다음과 같습니다.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucketname"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucketname/*"
]
}
]
}
If you wanted to copy all s3 bucket objects using the command "aws s3 cp s3://bucket-name/data/all-data/ . --recursive" as you mentioned, here is a safe and minimal policy to do that:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Condition": {
"StringLike": {
"s3:prefix": "data/all-data/*"
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/data/all-data/*"
]
}
]
}
The first statement in this policy allows for listing objects inside a specific bucket's sub directory. The resource needs to be the arn of the S3 bucket, and to limit listing to only a sub-directory in that bucket you can edit the "s3:prefix" value.
The second statement in this policy allows for getting objects inside of the bucket at a specific sub-directory. This means that anything inside the "s3://bucket-name/data/all-data/" path you will be able to copy. Be aware that this doesn't allow you to copy from parent paths such as "s3://bucket-name/data/".
This solution is specific to limiting use for AWS CLI commands; if you need to limit S3 access through the AWS console or API, then more policies will be needed. I suggest taking a look here: https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/.
A similar issue to this can be found here which led me to the solution I am giving. https://github.com/aws/aws-cli/issues/2408
Hope this helps!
You have to specify Resource for the bucket via "arn:aws:3:::bucketname" or "arn:aws:3:::bucketname*". The latter is preferred since it allows manipulations on the bucket's objects too. Notice there is no slash!
Listing objects is an operation on Bucket. Therefore, action "s3:ListBucket" is required. Adding an object to the Bucket is an operation on Object. Therefore, action "s3:PutObject" is needed. Certainly, you may want to add other actions as you require.
{
"Version": "version_id",
"Statement": [
{
"Sid": "some_id",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucketname*"
]
}
]
}
I was unable to access to S3 because
- first I configured key access on the instance (it was impossible to attach role after the launch then)
- forgot about it for a few months
- attached role to instance
- tried to access. The configured key had higher priority than role, and access was denied because the user wasn't granted with necessary S3 permissions.
Solution: rm -rf .aws/credentials, then aws uses role.
I got the same error when using policy as below, although i have "s3:ListBucket" for s3:ListObjects operation.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetObjectAcl"
],
"Resource": [
"arn:aws:s3:::<bucketname>/*",
"arn:aws:s3:::*-bucket/*"
],
"Effect": "Allow"
}
]
}
Then i fixed it by adding one line "arn:aws:s3:::bucketname"
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetObjectAcl"
],
"Resource": [
"arn:aws:s3:::<bucketname>",
"arn:aws:s3:::<bucketname>/*",
"arn:aws:s3:::*-bucket/*"
],
"Effect": "Allow"
}
]
}
I was thinking the error is due to "s3:ListObjects" action but I had to add the action "s3:ListBucket" to solve the issue "AccessDenied for ListObjects for S3 bucket"
I faced with the same issue. I just added credentials config:
aws_access_key_id = your_aws_access_key_id
aws_secret_access_key = your_aws_secret_access_key
into "~/.aws/credentials" + restart terminal for default profile.
In the case of multi profiles --profile arg needs to be added:
aws s3 sync ./localDir s3://bucketName --profile=${PROFILE_NAME}
where PROFILE_NAME:
.bash_profile ( or .bashrc) -> export PROFILE_NAME="yourProfileName"
More info about how to config credentials and multi profiles can be found here
Ran into a similar issues, for me the problem was that I had different AWS keys set in my bash_profile.
I answered a similar question here: https://stackoverflow.com/a/57317494/11871462
If you have conflicting AWS keys in your bash_profile, AWS CLI defaults to these instead.
I tried the following:
aws s3 ls s3.console.aws.amazon.com/s3/buckets/{bucket name}
This gave me the error:
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
Using this form worked:
aws s3 ls {bucket name}
'program tip' 카테고리의 다른 글
| Git은 새 하위 모듈을 초기화 / 동기화 / 업데이트하지 않습니다. (0) | 2020.08.25 |
|---|---|
| PostgreSQL은 JSON 배열로 결과 집합을 반환합니까? (0) | 2020.08.25 |
| 내 네트워크의 다른 컴퓨터에서 내 IIS 호스팅 사이트보기 (0) | 2020.08.25 |
| 암호를 서버 측으로 보내기 전에 해시해야합니까? (0) | 2020.08.25 |
| 정점 배열 객체는 무엇입니까? (0) | 2020.08.24 |