AWS S3 Bucket Permissions - Access Denied

问题:

I am trying to give myself permission to download existing files in an S3 bucket. I've modified the Bucket Policy, as follows:

        {         "Sid": "someSID",         "Action": "s3:*",         "Effect": "Allow",         "Resource": "arn:aws:s3:::bucketname/AWSLogs/123123123123/*",         "Principal": {             "AWS": [                 "arn:aws:iam::123123123123:user/myuid"             ]         }     } 

My understanding is that addition to the policy should give me full rights to "bucketname" for my account "myuid", including all files that are already in that bucket. However, I'm still getting Access Denied errors when I try to download any of those files via the link that comes up in the console.

Any thoughts?

回答1:

David, You are right but I found that, in addition to what bennie said below, you also have to grant view (or whatever access you want) to 'Authenticated Users'.

But a better solution might be to edit the user's policy to just grant access to the bucket:

{    "Statement": [     {       "Sid": "Stmt1350703615347",       "Action": [         "s3:*"       ],       "Effect": "Allow",       "Resource": [         "arn:aws:s3:::mybucket/*"       ]     },     {       "Effect": "Allow",       "Action": [         "s3:ListBucket"       ],       "Resource": ["arn:aws:s3:::mybucket"],       "Condition": {}     }   ] } 

The first block grants all S3 permissions to all elements within the bucket. The second block grants list permission on the bucket itself.

回答2:

Step 1

Click on your bucket name, and under the permissions tab, make sure that Block new public bucker policies is unchecked

Step 2

Then you can apply your bucket policy

Hope that helps

回答3:

Change resource arn:aws:s3:::bucketname/AWSLogs/123123123123/* to arn:aws:s3:::bucketname/* to have full rights to bucketname

回答4:

Use below method for uploading any file for public readable form using TransferUtility in Android.

transferUtility.upload(String bucketName, String key, File file, CannedAccessControlList cannedAcl) 

Example

transferUtility.upload("MY_BUCKET_NAME", "FileName", your_file, CannedAccessControlList.PublicRead); 

回答5:

To clarify: It is really not documented well, but you need two access statements.

In addition to your statement that allows actions to resource "arn:aws:s3:::bucketname/AWSLogs/123123123123/*", you also need a second statement that allows ListBucket to "arn:aws:s3:::bucketname", because internally the Aws client will try to list the bucket to determine it exists before doing its action.

With the second statement, it should look like:

"Statement": [     {         "Sid": "someSID",         "Action": "ActionThatYouMeantToAllow",         "Effect": "Allow",         "Resource": "arn:aws:s3:::bucketname/AWSLogs/123123123123/*",         "Principal": {             "AWS": [                 "arn:aws:iam::123123123123:user/myuid"             ]     },     {         "Sid": "someOtherSID",         "Action": "ListBucket",         "Effect": "Allow",         "Resource": "arn:aws:s3:::bucketname",         "Principal": {             "AWS": [                 "arn:aws:iam::123123123123:user/myuid"             ]     } ] 

Note: If you're using IAM, skip the "Principal" part.

回答6:

Go to this link and generate a Policy. In the Principal field give *

In the Actions set the Get Objects

Give the ARN as arn:aws:s3:::<bucket_name>/*

Then add statement and then generate policy, you will get a JSON file and then just copy that file and paste it in the Bucket Policy.

For More Details go here.

回答7:

for show website static in s3:

This is bucket policies:

{   "Version":"2012-10-17",   "Statement":[{   "Sid":"PublicReadGetObject",     "Effect":"Allow",   "Principal": "*",   "Action":["s3:GetObject"],   "Resource":["arn:aws:s3:::example-bucket/*"   ]   } ] } 

文章来源: AWS S3 Bucket Permissions - Access Denied