AWS S3 CloudFormation 只读权限

【问题标题】:AWS S3 CloudFormation Read-Only PermissionAWS S3 CloudFormation 只读权限
【发布时间】:2020-01-04 07:52:54
【问题描述】:

我正在尝试创建两个用户并授予 user1 对 s3 存储桶的只读权限,我还需要授予 user2 读取和写入权限。这是我到目前为止所做的事情

AWSTemplateFormatVersion: "2010-09-09"


Resources:
  s3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: Private

  User1:
    Type: AWS::IAM::User

  User2:
    Type: AWS::IAM::User

  User1Key:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName: !Ref 'User1'

  User2Key:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName: !Ref 'User2'
Outputs:
  AccessKey:
    Value: !Ref 'User1Key'
    Description: AWSAccessKeyId of User 1
  SecretKey:
    Value: !GetAtt [User1Key, SecretAccessKey]
    Description: AWSSecretAccessKey of User 1
  AccessKey2:
    Value: !Ref 'User2Key'
    Description: AWSAccessKeyId of User 2
  SecretKey2:
    Value: !GetAtt [User2Key, SecretAccessKey]
    Description: AWSSecretAccessKey of User 2

我不知道如何实现这个

【问题讨论】:

    标签: amazon-web-services amazon-s3 aws-lambda amazon-cloudformation


    【解决方案1】:

    其中一种方法是使用 IAM 策略来实现相同的目的。

    看看下面的代码。我们正在创建两种策略,一种用于读取,一种用于写入。一个用户被分配到读取和写入策略,另一个用户仅被分配到读取。 

    AWSTemplateFormatVersion: "2010-09-09"

Resources:
  s3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: Private

  S3ReadPolicy:
    Type: "AWS::IAM::Policy"
    Properties:
      PolicyName: "S3ReadPolicy"
      PolicyDocument:
        Statement:
          - Action: s3:GetObject
            Effect: Allow
            Resource: !Sub "arn:aws:s3:::${s3Bucket}/*"
          - Action: s3:ListBucket
            Effect: Allow
            Resource: !Sub "arn:aws:s3:::${s3Bucket}"
      Users:
        - Ref: User1
        - Ref: User2

  S3WritePolicy:
    Type: "AWS::IAM::Policy"
    Properties:
      PolicyName: "S3WritePolicy"
      PolicyDocument:
        Statement:
          - Action: s3:PutObject
            Effect: Allow
            Resource: !Sub "arn:aws:s3:::${s3Bucket}/*"
      Users:
        - Ref: User2        

  User1:
    Type: AWS::IAM::User

  User2:
    Type: AWS::IAM::User

  User1Key:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName: !Ref "User1"

  User2Key:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName: !Ref "User2"
Outputs:
  AccessKey:
    Value: !Ref "User1Key"
    Description: AWSAccessKeyId of User 1
  SecretKey:
    Value: !GetAtt [User1Key, SecretAccessKey]
    Description: AWSSecretAccessKey of User 1
  AccessKey2:
    Value: !Ref "User2Key"
    Description: AWSAccessKeyId of User 2
  SecretKey2:
    Value: !GetAtt [User2Key, SecretAccessKey]
    Description: AWSSecretAccessKey of User 2

    希望对你有帮助

    【讨论】:

    • 修改了答案以使用 IAM 策略而不是存储桶策略
    • 更正了 IAM 策略而不是 BucketPolicy 的答案
    猜你喜欢
    • 1970-01-01
    • 2021-06-02
    • 1970-01-01
    • 1970-01-01
    • 2017-06-09
    • 2020-09-27
    • 1970-01-01
    • 2022-12-28
    • 2019-04-29
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode