找到你要的答案

Q:AWS S3 ACL Policy Condition

Q:AWS的S3 ACL政策条件

I'm trying to set up my role policy for S3. What I'm trying to do is allow users to get out any images that contain "public" in their name. The problem is that I've seem to of gotten the correct policy (it succeeds in the policy simulator) but when I'm running it in my app it doesn't seem to be working properly.

Here is my policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "mobileanalytics:PutEvents", "cognito-sync:*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::*" ], "Condition": { "StringLike": { "s3:prefix": "*public*" } } } ] }

I am setting the s3:prefix as user1/image1-public. Like I mentioned before, on the policy simulator, it allows all "Get" and "List" commands (just like it should).

The problem is when I'm downloading an example image from the database using the transfer manager in the iOS app, I get the following error:

2015-10-07 14:22:01.716 SimpleAuth[71584:8584520] Error: Error Domain=com.amazonaws.AWSS3ErrorDomain Code=1 "The operation couldn’t be completed. (com.amazonaws.AWSS3ErrorDomain error 1.)" UserInfo=0x7fcbf2d8c560 {HostId=ke/f5x+DKCnjuzlbH5XBWCQfawbkUIRWWhPcY9LdqjPqP5kUyq0rzIjkqeL+8Bm/fvr/l24Wm94=, Message=Access Denied, Code=AccessDenied, RequestId=180803E4DDD0BB73}

The code that I have in the Xcode project is

AWSS3TransferManagerDownloadRequest *downloadRequest = [AWSS3TransferManagerDownloadRequest new];

downloadRequest.bucket = @"test";
downloadRequest.key = @"user1/image1-public";
downloadRequest.downloadingFileURL = downloadingFileURL;

// Download the file.
[[transferManager download:downloadRequest] continueWithExecutor:[AWSExecutor mainThreadExecutor]
                                                       withBlock:^id(AWSTask *task)
{
    if (task.error){
        if ([task.error.domain isEqualToString:AWSS3TransferManagerErrorDomain]) {
           switch (task.error.code) {
               case AWSS3TransferManagerErrorCancelled:
               case AWSS3TransferManagerErrorPaused:
                   break;

               default:
                   NSLog(@"Error: %@", task.error);
                   break;
           }
        } else {
           // Unknown error.
           NSLog(@"Error: %@", task.error);
        }
    }

    if (task.result)
    {
        AWSS3TransferManagerDownloadOutput *downloadOutput = task.result;
        //File downloaded successfully.

        NSLog(@"Now go to the next screen");

        [self performSegueWithIdentifier:@"LoginSuccessSegue" sender:self];

    }
    return nil;
    }];

Any help would be greatly appreciated. I've never been able to get a "Condition" to work on an ACL.

我想设置S3我的角色策略。我想做的是允许用户取出任何包含“公共”的图像在他们的名字。问题是,我似乎已经得到了正确的政策(它在策略模拟器中成功),但当我在我的应用程序运行它似乎并不正常工作。

这是我的政策:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "mobileanalytics:PutEvents", "cognito-sync:*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::*" ], "Condition": { "StringLike": { "s3:prefix": "*public*" } } } ] }

我设置了S3:前缀为user1 /送入公共。就像我之前提到的,在策略模拟器上,它允许所有的“获取”和“列表”命令(就像它应该)。

问题是当我下载一个例子图像从数据库中使用的传输管理器在iOS的App,我收到以下错误:

2015-10-07 14:22: 1.716 simpleauth [ 71584:8584520 ]错误:错误代码= 1 = com.amazonaws.awss3errordomain域”无法完成作业。(com.amazonaws.awss3errordomain错误1。)“用户信息= 0x7fcbf2d8c560 {服务器=克/ f5x + dkcnjuzlbh5xbwcqfawbkuirwwhpcy9ldqjpqp5kuyq0rzijkqel + 8bm / FVR / l24wm94 =,=拒绝访问消息,代码= accessdenied RequestID = 180803e4ddd0bb73 },

我在Xcode项目代码

AWSS3TransferManagerDownloadRequest *downloadRequest = [AWSS3TransferManagerDownloadRequest new];

downloadRequest.bucket = @"test";
downloadRequest.key = @"user1/image1-public";
downloadRequest.downloadingFileURL = downloadingFileURL;

// Download the file.
[[transferManager download:downloadRequest] continueWithExecutor:[AWSExecutor mainThreadExecutor]
                                                       withBlock:^id(AWSTask *task)
{
    if (task.error){
        if ([task.error.domain isEqualToString:AWSS3TransferManagerErrorDomain]) {
           switch (task.error.code) {
               case AWSS3TransferManagerErrorCancelled:
               case AWSS3TransferManagerErrorPaused:
                   break;

               default:
                   NSLog(@"Error: %@", task.error);
                   break;
           }
        } else {
           // Unknown error.
           NSLog(@"Error: %@", task.error);
        }
    }

    if (task.result)
    {
        AWSS3TransferManagerDownloadOutput *downloadOutput = task.result;
        //File downloaded successfully.

        NSLog(@"Now go to the next screen");

        [self performSegueWithIdentifier:@"LoginSuccessSegue" sender:self];

    }
    return nil;
    }];

任何帮助将不胜感激。我一直没能得到一个“条件”的工作在一个ACL。

answer1: 回答1:

"s3:prefix": "*public*" will essentially never match anything meaningful.

It specifies a prefix -- not a wildcard match.

To match the image object at /user-1/image/public/kitten.jpg and everything else at the same level of structure, the policy condition would need to be "s3:prefix": "user-1/image/public/"

For a policy like this to work, the "public" needs to be at the far left of the path -- the prefix.

The documentation is unclear, but it is possible that instead of a condition, you could use a wildcard in the resource. It says, simply, "You can use wild card.". If true, then perhaps something along these lines:

"Resource": [
             "arn:aws:s3:::example-bucket/*/public/*"
            ],

If not, you're limited to prefixes again, which would be what I suspect may be the case.

I would have thought, though, that there would have been a warning from the policy simulator, something like this, to let you know that the policy simulator does not thoroughly evaluate all aspects of the policy, for some services:

“This action belongs to a service that supports access control mechanisms attached to resources. The simulator does not model these mechanisms, so results may differ in your production environment.”

http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html

“S3:前缀”:“*公*”也基本没有什么有意义的比赛。

它指定了一个前缀——不是一个通配符匹配。

匹配/ user-1 /图像/公共/在同一层次kitten.jpg和一切的图像对象,政策条件将需要“S3:前缀”:“user-1 /图像/公共/”

对于这样一个政策要工作,“公共”需要在最左边的路径-前缀。

该文件还不清楚,但它是可能的,而不是一个条件,你可以在资源使用通配符。它说,简单地说,“你可以使用外卡。”。如果是真的,那么也许沿着这些线:

"Resource": [
             "arn:aws:s3:::example-bucket/*/public/*"
            ],

如果不是,你有限的前缀,这将是我的猜想可能是这种情况。

不过,我想,政策模拟器会有这样的警告,让你知道政策模拟器并没有彻底评估政策的各个方面,一些服务:

“此操作属于支持资源访问控制机制的服务。模拟器不建模这些机制,所以结果可能会有所不同,在您的生产环境。”

http://docs.aws.amazon.com/iam/latest/userguide/access_policies_testing-policies.html

amazon-web-services  amazon-s3  acl