“Access Denied” - User's Permissions to S3 Bucket

问题

I send out an automated email for orders, and am now trying to have a link to download the a PDF receipt.

User's are getting an error in the browser when trying to download saying "This XML file does not appear to have any style information associated with it. The document tree is shown below."

I've gone into the bucket and run "Make Public" on the receipt bucket, still no luck. File structure is:

app-name/uploads/order/receipt

What do I need to do to allow permissions for User's to be able to download their receipts?

回答1:

When you make a bucket public you should get a new URL that looks like this

http://bucketName.s3-website-us-east-1.amazonaws.com/uploads/order/receipt

... you should use that one in your mail.

But bear in mind that all data is available public, maybe you go better with pre-signed s3 urls that you distrbuted per client.

回答2:

Had a similar issue with a particular file on s3. Solved the issue by changing the access permissions of the file using the mv command and the --acl argument. Trying to access a file called data.jsonlines gave the ACCESS DENIED error. Solved it by running the following commands:

aws s3 cp s3://<s3 bucket name>/path/to/file/data.jsonlines  s3://cfa-opengazettes-ke/gazettes/data_copy.jsonlines 

aws s3 mv --acl public-read s3://<s3 bucket name>/path/to/file/data_copy.jsonlines s3://cfa-opengazettes-ke/gazettes/data.jsonlines

Or you can combine them by running:

aws s3 cp s3://<s3 bucket name>/path/to/file/data_out.jsonlines  s3://cfa-opengazettes-ke/gazettes/data_out2.jsonlines && aws s3 mv --acl public-read s3://cfa-opengazettes-ke/gazettes/data_out2.jsonlines s3://<s3 bucket name>/path/to/file/data_out.jsonlines

These commands carry out the steps below:

• copy: s3://<s3 bucket name>/path/to/file/data.jsonlines to s3://c<s3 bucket name>/path/to/file/data_copy.jsonlines

• move: s3://<s3 bucket name>/path/to/file/data_copy.jsonlines to s3://cfa-opengazettes-ke/path/to/file/data.jsonlines

Basically, it creates a copy of the file and then deletes it during the move while changing the permissions of the file.

Note the --acl option and the argument public-read. From the documentation:

--acl (string) Sets the ACL for the object when the command is performed. If you use this parameter you must have the "s3:PutObjectAcl" permission included in the list of actions for your IAM policy. Only accepts values of private, public-read, public-read-write, authenticated-read, aws-exec-read, bucket-owner-read, bucket-owner-full-control and log-delivery-write.

Some more useful information at this AWS page

来源：https://stackoverflow.com/questions/30715747/access-denied-users-permissions-to-s3-bucket