为什么我的访问在 s3 上被拒绝(使用 Node.js 的 aws-sdk)?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/39620873/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Why is my access denied on s3 (using the aws-sdk for Node.js)?
提问by Shawn
I'm trying to read an existing file from my s3 bucket, but I keep getting "Access Denied" with no explanation or instructions on what to do about it. Hereis the code I am using:
我正在尝试从我的 s3 存储桶中读取现有文件,但我一直收到“拒绝访问”的消息,但没有解释或说明如何处理。这是我正在使用的代码:
'use strict'
var AWS = require('aws-sdk')
const options = {
apiVersion: '2006-03-01',
params: {
Bucket: process.env['IMAGINATOR_BUCKET']
},
accessKeyId: process.env['IMAGINATOR_AWS_ACCESS_KEY_ID'],
secretAccessKey: process.env['IMAGINATOR_AWS_SECRET_ACCESS_KEY'],
signatureVersion: 'v4'
}
console.log('options', options)
var s3 = new AWS.S3(options)
module.exports = exports = {
get (name, cb) {
const params = {
Key: name + '.json'
}
console.log('get params', params)
return s3.getObject(params, cb)
},
set (name, body, cb) {
const params = {
Key: name + '.json',
Body: body
}
console.log('set params', params)
return s3.putObject(params, cb)
}
}
And this is what I'm getting as output when using the getmethod and logging the error provided in the callback (with sensitive information censored out):
这就是我在使用该get方法并记录回调中提供的错误时得到的输出(敏感信息被删除):
options { apiVersion: '2006-03-01',
params: { Bucket: CENSORED_BUT_CORRECT },
accessKeyId: CENSORED_BUT_CORRECT,
secretAccessKey: CENSORED_BUT_CORRECT,
signatureVersion: 'v4' }
get params { Key: 'whitelist.json' }
err { [AccessDenied: Access Denied]
message: 'Access Denied',
code: 'AccessDenied',
region: null,
time: Wed Sep 21 2016 11:17:50 GMT-0400 (EDT),
requestId: CENSORED,
extendedRequestId: CENSORED,
cfId: undefined,
statusCode: 403,
retryable: false,
retryDelay: 20.084538962692022 }
/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/request.js:31
throw err;
^
AccessDenied: Access Denied
at Request.extractError (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/services/s3.js:538:35)
at Request.callListeners (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
at Request.emit (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
at Request.emit (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/request.js:668:14)
at Request.transition (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/request.js:670:12)
at Request.callListeners (/Users/shawn/git/vigour-io/imaginate/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
Now I'm not sure what to do beacuse I think I'm doing things correctly according to the docs, but it's not working and the error message doesn't say why my access is denied... Any idea what the next step should be to get this working?
现在我不确定该怎么做,因为我认为我根据文档正确地做事,但它不起作用,错误消息没有说明为什么我的访问被拒绝......知道下一步应该做什么是为了让这个工作?
回答by Shawn
The problem was that my new IAM user didn't have a policy attached to it. I assigned it the AmazonS3FullAccesspolicy and now it works.
问题是我的新 IAM 用户没有附加策略。我为它分配了AmazonS3FullAccess策略,现在它可以工作了。
As pointed out in the comments, a more restrictive policy would be much safer
正如评论中指出的那样,限制性更强的政策会更安全
回答by Anderson Clayton
FullAccessin your police is not required. You can try something like this:
FullAccess在你的警察是不需要的。你可以尝试这样的事情:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:Put*",
"s3:Get*",
"s3:List*",
"s3:Delete*"
],
"Resource": [
"arn:aws:s3:::bucket/*",
"arn:aws:s3:::bucket"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}
回答by valdeci
These errors can occurs when the object which you are trying to read does not exist. By what I understood the AWS errors are not so clear in these situations.
当您尝试读取的对象不存在时,可能会发生这些错误。据我了解,在这些情况下,AWS 错误并不是很清楚。
Validate if your key/bucket is correct and if you are sending the correct params on the API method.
验证您的密钥/存储桶是否正确,以及您是否在 API 方法上发送了正确的参数。
I already got this problem two times:
我已经两次遇到这个问题:
- when I was replacing the key param with the bucket param and vice versa when I was trying to read an s3 object using the
getObject()method. - when I was trying to copy a file to a location that did not exist using the
copyObject()method.
- 当我尝试使用该
getObject()方法读取 s3 对象时,将 key 参数替换为 bucket 参数,反之亦然。 - 当我尝试使用该
copyObject()方法将文件复制到不存在的位置时。
回答by NBhat
"code":"AccessDenied","region":null,"time":"2020-05-24T05:20:56.219Z","requestId": ...
Applied the below policy in s3 aws console > Bucket policy editorof 'Permissions' tab to get rid of the above error,
在 s3 aws 控制台 > “权限”选项卡的存储桶策略编辑器中应用以下策略以消除上述错误,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<IAM-user-ID>:user/testuser"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetBucketLocation",
"s3:Get*",
"s3:Put*"
],
"Resource": "arn:aws:s3:::srcbucket"
}
]
}
