从专用用户访问 S3 存储桶（策略失败？）

Posted 2023-03-24

技术标签:

【中文标题】从专用用户访问 S3 存储桶（策略失败？）【英文标题】：Accessing S3 bucket from a dedicated user ( policy failure ? ) 【发布时间】：2022-01-05 15:51:15 【问题描述】：

我正在尝试创建一个具有专用用户的 S3 存储桶，以便使用 terraform 进行上传/下载。

由于某种原因，正在创建的用户无法访问存储桶：

$ aws iam list-attached-user-policies --user-name csgoserver

    "AttachedPolicies": [
        
            "PolicyName": "AllowUsercsgoserverAccessTocsgofiles",
            "PolicyArn": "arn:aws:iam::370179080679:policy/AllowUsercsgoserverAccessTocsgofiles"
        
    ]


$ aws s3 cp bucket.tf s3://csgofiles --profile test
upload failed: .\bucket.tf to s3://csgofiles/bucket.tf An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

$ aws iam get-user-policy --user-name csgoserver --policy-name AllowUsercsgoserverAccessTocsgofiles
An error occurred (NoSuchEntity) when calling the GetUserPolicy operation: The user policy with name AllowUsercsgoserverAccessTocsgofiles cannot be found.

user.tf:

resource "aws_iam_user" "s3user" 
  name = var.user_name
  force_destroy = true


data "aws_iam_policy_document" "default" 
  statement 
    sid       = "AllowUser$var.user_nameAccessTo$var.bucket_name"
    actions   = ["s3:*"]
    resources = ["arn:aws:s3:::$var.bucket_name"]
    effect    = "Allow"
  


resource "aws_iam_user_policy" "s3user_policy" 
  name = aws_iam_user.s3user.name
  user = aws_iam_user.s3user.name

  policy = join("", data.aws_iam_policy_document.default.*.json)


resource "aws_iam_access_key" "s3user_ak" 
  user    = aws_iam_user.s3user.name

还有一件事我不明白。 aws iam get-policy 不适用于该策略：

$ aws iam list-policies --max-items 2

    "Policies": [
        
            "PolicyName": "AllowUsercsgoserverAccessTocsgofiles",
            "PolicyId": "ANPAVMMDEQHTRE4NG3N2E",
            "Arn": "arn:aws:iam::370179080679:policy/AllowUsercsgoserverAccessTocsgofiles",
            "Path": "/",
            "DefaultVersionId": "v1",
            "AttachmentCount": 1,
            "PermissionsBoundaryUsageCount": 0,
            "IsAttachable": true,
            "CreateDate": "2021-11-26T22:17:52+00:00",
            "UpdateDate": "2021-11-26T22:17:52+00:00"
        ,
        
            "PolicyName": "eks-full-access-policy",
            "PolicyId": "ANPAVMMDEQHTR4C65WFT6",
            "Arn": "arn:aws:iam::370179080679:policy/eks-full-access-policy",
            "Path": "/",
            "DefaultVersionId": "v1",
            "AttachmentCount": 0,
            "PermissionsBoundaryUsageCount": 0,
            "IsAttachable": true,
            "CreateDate": "2021-03-30T09:57:04+00:00",
            "UpdateDate": "2021-03-30T09:57:04+00:00"
        
    ],
    "NextToken": "eyJNYXJrZXIiOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiAyfQ=="



$ aws iam get-policy --policy-arn arn:aws:iam::370179080679:policy/AllowUsercsgoserverAccessTocsgofile
An error occurred (NoSuchEntity) when calling the GetPolicy operation: Policy arn:aws:iam::370179080679:policy/AllowUsercsgoserverAccessTocsgofile was not found.

$ aws iam get-policy --policy-arn arn:aws:iam::370179080679:policy/eks-full-access-policy

    "Policy": 
        "PolicyName": "eks-full-access-policy",
        "PolicyId": "ANPAVMMDEQHTR4C65WFT6",
        "Arn": "arn:aws:iam::370179080679:policy/eks-full-access-policy",
        "Path": "/",
        "DefaultVersionId": "v1",
        "AttachmentCount": 0,
        "PermissionsBoundaryUsageCount": 0,
        "IsAttachable": true,
        "CreateDate": "2021-03-30T09:57:04+00:00",
        "UpdateDate": "2021-03-30T09:57:04+00:00"

【问题讨论】：

【参考方案1】：

我认为您的 IAM 政策无效。您可以使用类似于以下内容的内容：


  "Id": "Policy1638106306386",
  "Version": "2012-10-17",
  "Statement": [
    
      "Sid": "Stmt1638106302079",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::examplebucket",
      "Principal": 
        "AWS": [
          "370179080679"
        ]
      
    
  ]

我还建议将策略内嵌在您的 aws_iam_user_policy 资源中，而不是使用数据源。从文档来看，政策似乎是aws_iam_user_policy 资源中的必填字段。

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy

可能像下面这样：

resource "aws_iam_user_policy" "s3user_policy" 
  name = aws_iam_user.s3user.name
  user = aws_iam_user.s3user.name

policy = jsonencode (
    "Version": "2012-10-17",
    "Statement": [
    
        "Sid": "Stmt1638106302079",
        "Action": "s3:*",
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::examplebucket/*",
    
    ]
)

【讨论】：

将其更改为您指定的代码示例后，我得到：放置 IAM 用户策略 csgofiles 时出错：MalformedPolicyDocument：策略文档不应指定委托人。删除后主密钥我收到相同的 AccessDenied 消息我讨厌我的生活...... :D 我在资源“/*”中几乎遗漏了两个字符......严重...... 我认为你没看错，我正要发帖说你可能还需要添加存储桶名称和带有“/*”的存储桶名称。我会更新我的帖子以制定正确的政策。【参考方案2】：

我在资源键末尾缺少两个字符 /* ...

data "aws_iam_policy_document" "default" 
  statement 
    sid       = "AllowUser$var.user_nameAccessTo$var.bucket_name"
    actions   = ["s3:*"]
    resources = ["arn:aws:s3:::$var.bucket_name/*"]
    effect    = "Allow"

【讨论】：

以上是关于从专用用户访问 S3 存储桶（策略失败？）的主要内容，如果未能解决你的问题，请参考以下文章

允许用户访问特定 S3 存储桶进行备份的 AWS IAM 策略

AWS S3 拒绝除 1 个用户之外的所有访问 - 存储桶策略

私有登台S3存储桶的策略

AWS S3 访问被拒绝。存储桶权限被授予，那么当我是用户时，我需要存储桶策略吗？

AWS S3 存储桶策略编辑器访问被拒绝

如何为多个 IAM 用户设置 S3 策略，以便每个人只能访问他们的个人存储桶文件夹？