0
如果我将一个AdministratorAccess策略分配给我的S3用户,那么我可以轻松地将文件从我的Web应用程序上传到AWS S3。我需要在用户策略中指定哪些操作,以便我可以将文件上传到S3?
策略名:AdministatorAccess
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
但是当我尝试通过其他政策来限制他的特权我收到来自亚马逊的403错误 - 存取遭拒。
请求头:
Remote Address: [hidden]
Request URL:https://mydevelopmentbucket.s3-us-west-2.amazonaws.com/
Request Method:POST
Status Code:403 Forbidden
返回的XML:
难道这些动作够文件上传?以下是修改(有限)的用户策略。
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket"
limited_user政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUploadingInProduction",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::myproductionbucket/*"
]
},
{
"Sid": "AllowUploadingInDevelopment",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mydevelopmentbucket/*"
]
}
]
}
发展桶政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UploadFile",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::5503214313988:user/limited_user"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::mydevelopmentbucket/*"
},
{
"Sid": "ListBucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::5503214313988:user/limited_user"
},
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::mydevelopmentbucket"
},
{
"Sid": "crossdomainAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mydevelopmentbucket/crossdomain.xml"
}
]
}
请求负载
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="key"
3c23688b16c03b7491508ab97595b74ebd301ca6a4f0aaea74a23a81944e457c/avatars/gjRyRE20LzJsGHAwulI1QZqV77JpnPGmTLKrxvvnIpQSqe800zcHT8vvWGF0wVoC/cache2.jpg
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="AWSAccessKeyId"
AKIAIITCEYZCTQBJ4RUQ
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="acl"
public-read
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="policy"
ewogICAgImV4cGlyYXRpb24iOiAiMjAyMC0wMS0wMVQwMDowMDowMFoiLAogICAgImNvbmRpdGlvbnMiOiBbCiAgICAgICAgeyJidsdkfjsflksdjflksdfjHMtd2l0aCIsICIkQ29udGVudC1UeXBlIiwgIiJdLAogICAgICAgIFsic3RhcnRzLXdpdGgiLCAiJGZpbGVuYW1lIiwgIiJdLAogICAgICAgIHsic3VjY2Vzc19hY3Rpb25fc3RhdHVzIjogIjIwMSJ9LAogICAgICAgIFsiY29udGVudC1sZW5ndGgtcmFuZ2UiLCAwLCA1MjQyODgwMDBdCiAgICBdCn0=
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="signature"
svw7geEWRWER88ERLaxNiIY=
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="Content-Type"
image/jpeg
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="filename"
cache2.jpg
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="success_action_status"
201
------WebKitFormBoundaryGGlyxVetpT9vWBGi
Content-Disposition: form-data; name="file"; filename="undefined"
Content-Type: image/png
------WebKitFormBoundaryGGlyxVetpT9vWBGi--
我的角度指令:
$scope.upload = function(dataUrl) {
Upload.upload({
url: '<%= ENV["S3_UPLOAD_URL"] %>',
method: 'POST',
data: {
key: 'avatars/' + $scope.picFile.name,
AWSAccessKeyId: '<%= ENV["AWS_ACCESS_KEY_ID"] %>',
acl: 'public-read',
policy: $scope.policy,
signature: $scope.signature,
"Content-Type": $scope.picFile.type != '' ? $scope.picFile.type : 'application/octet-stream',
filename: $scope.picFile.name,
success_action_status: 201,
file: Upload.dataUrltoBlob(dataUrl)
}
})
.then(
function (resp) {
console.log('Success');
},
function(resp) {
console.log('Error');
},
function(evt) {
$scope.progressPercentage = parseInt(100.0 * evt.loaded/evt.total);
}
);
};