使用回形针和IAM策略将文件上传到亚马逊时,访问被拒绝亚马逊、回形针、文件上传、被拒
我无法获取上传使用回形针的S3 IAM策略工作。我甚至有直接的jQuery上传(没有回形针)的问题。我的情况如下,我将有许多网站的应用程序。每个站点都会有它自己的水桶应该只能够访问自己的水桶,别人的。该 IAM举例政策文档解释正是我想做下的范例:允许到文件夹中的每个IAM用户访问水桶。我有一个IAM组设立的应用程序并在集团内每个站点一个用户。这些IAM用户属于该组。对本集团的政策如下:
I am unable to get an upload working with Paperclip using an S3 IAM policy. I'm even having issues with direct jQuery uploads (no Paperclip). My scenario is as follows, I have an application that will have many sites. Each site will have it's own bucket and should only be able to access their own bucket, nobody else's. The IAM Example Policies documentation explains exactly what I want to do under "Example: Allow each IAM user access to a folder in a bucket". I have an IAM group set up for the application and have one user per site within the group. These IAM users belong to the group. The policy on the group is as follows:
{
"Version":"2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource":"arn:aws:s3:::my-app/${aws:username}/*"
}
]
}
下面是关于斗我CORS配置,当然开发,它会被锁定后:
Here is my CORS configuration on the bucket, for dev of course, it will get locked down later:
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
下面是我的回形针设置:
Here are my Paperclip settings:
has_attached_file :background_image,
storage: :s3,
s3_credentials: {
access_key_id: "xxx",
secret_access_key: "xxx"
},
bucket: "my-app",
s3_permissions: "public-read",
path: "/background_images/:id/:filename"
我是previously工作与政策直接放在桶里,它没有工作,但没有那么灵活,因为我需要它是当我移动到生产环境中有许多地王。据我可以告诉我已经按照文档究竟又什么我做的结果访问被拒绝。在这一点上,我甚至不知道如果我的问题是与我的IAM策略或我的回形针配置。
I was previously working with policies directly on the bucket, which did work but wasn't as flexible as I need it to be when I move into a production environment with many "sites". As far as I can tell I've followed the documentation exactly yet anything I do results in 'Access Denied'. At this point I'm not even sure if my issue is with my IAM policy or my Paperclip configuration.
编辑:澄清
编辑2: 最终的解决方案
edit 2: FINAL SOLUTION
下面是根据这篇文章:
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-app"],
"Condition":{"StringEquals":{"s3:prefix":["","home/"],"s3:delimiter":["/"]}}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::estimator-app"],
"Condition":{"StringLike":{"s3:prefix":["home/${aws:username}/*"]}}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::my-app/home/${aws:username}/*"]
}
]
}
和我更新回形针设置:
has_attached_file :background_image,
storage: :s3,
s3_credentials: {
access_key_id: "xxx",
secret_access_key: "xxx"
},
bucket: "estimator-app",
s3_permissions: "public-read",
path: "/home/my_s3_username/background_images/:id/:filename"
重要的是要包括在回形针路径的用户名。我是假设亚马逊会推断,从凭据,但事实并非如此。
It was important to include the username in the Paperclip path. I was assuming Amazon would infer that from the credentials but that's not the case.
推荐答案
由于你想你上传的对象设置权限,你还需要给你的IAM用户 S3:PutObjectAcl 许可。
Because you're trying to set permissions on the objects you upload, you also need to give your IAM users the s3:PutObjectAcl permission.
上一篇:红宝石:没有这样的文件加载 - ubygems(LoadError)运行冠橡胶时:create_staging红宝石、橡胶、加载、文件
下一篇:配置Carrierwave与Amazon S3,托管在HerokuAmazon、Carrierwave、Heroku
