【发布时间】:2021-06-22 17:16:59
【问题描述】:
模拟场景:
我正在尝试以附加了 s3 拒绝策略的 iam 用户身份访问 s3 存储桶。因此访问 s3 存储桶将通过 Access Denied 错误。但我可以看到桶里的东西..
下面是我的代码:
@pytest.fixture()
def s3():
with moto.mock_s3():
yield boto3.client(
"s3",
region_name="us-east-1",
aws_access_key_id="testing",
aws_secret_access_key="testing",
aws_session_token="testing",
)
@pytest.fixture
def bucket_name(s3):
bucket_name = "test_bucket"
s3.create_bucket(Bucket=bucket_name)
s3.put_object(Bucket=bucket_name, Key="a/b/c/abc.txt")
return bucket_name
@pytest.fixture()
def iam():
with moto.mock_iam():
yield boto3.client(
"iam",
region_name="us-east-1",
aws_access_key_id="testing",
aws_secret_access_key="testing",
aws_session_token="testing",
)
#
#
@pytest.fixture()
def iam_user(iam, s3, bucket_name):
user_name = "test-user"
policy_name = "policy1"
iam.create_user(UserName=user_name)
policy_document = {
"Version": "2012-10-17",
"Statement": {"Effect": "Deny", "Action": "s3:ListBucket", "Resource": "*"}
policy_arn = iam.create_policy(PolicyName=policy_name, PolicyDocument=json.dumps(policy_document))["Policy"][
"Arn"
]
iam.attach_user_policy(UserName=user_name, PolicyArn=policy_arn)
access_key = iam.create_access_key(UserName=user_name)
client = boto3.client(
"s3",
region_name="us-east-1",
aws_access_key_id=access_key["AccessKey"]["AccessKeyId"],
aws_secret_access_key=access_key["AccessKey"]["SecretAccessKey"],
)
print(client.list_objects(Bucket=bucket_name))
def test_check(iam, iam_user):
print("DOne")
回应
{'ResponseMetadata': {'HTTPStatusCode': 200, 'HTTPHeaders': {}, 'RetryAttempts': 0}, 'IsTruncated': False, 'Contents': [{'Key': 'a/b/c/abc.txt', 'LastModified': datetime.datetime(2021, 3, 25, 20, 31, 15, tzinfo=tzutc()), 'ETag': '"abcdefghikkd"', 'Size': 0, 'StorageClass': 'STANDARD', 'Owner': {'DisplayName': 'webfile', 'ID': 'abcdefgh'}}], 'Name': 'test_bucket', 'MaxKeys': 1000}
感谢任何帮助。 谢谢
【问题讨论】:
标签: amazon-s3 boto3 amazon-iam moto