gpt4 book ai didi

mobile - 亚马逊 S3 权限

转载 作者:行者123 更新时间:2023-12-02 09:48:24 30 4
gpt4 key购买 nike

我在 Amazon S3 中使用 GetSessionToken/GetFederationToken 的临时 session ,我计划拥有超过 10K 个用户,每个用户都可以上传到 S3,所以一开始我想到为每个用户使用一个存储桶并设置写入(上传)权限每个用户每个存储桶,但由于每个亚马逊帐户的存储桶数量有限制,我放弃了这个想法。

如何设置允许公开读取、仅当用户要上传的对象的键上有前缀时才上传的权限?

例如,如果用户名 X 上传文件,则 key 必须类似于 X_filename。

或者任何其他可以让我获得安全性的方式,这是针对移动应用程序的,我不想在上传文件时通过我们自己的服务器。

编辑:

我已尝试使用以下策略执行 GetFederationToken 操作

"{
"Statement":[{
"Effect":"Allow",
"Action":["s3:PutObject","s3:GetObject","s3:GetObjectVersion",
"s3:DeleteObject",\"s3:DeleteObjectVersion"],
"Resource":"arn:aws:s3:::user.uploads/john/*"
}
]
}"

我在 S3 上有存储桶 user.uploads 和文件夹 john

但是,使用 session 凭据将任何上传到存储桶 user.uploads 的 key john/filename 都会失败,并且访问被拒绝”

最佳答案

Amazon's Identity and Access Management (IAM)服务就是您所需要的。 documentation有很多示例,其中一些符合您的场景。

来自文档:

Example 5: Allow a partner to drop files into a specific portion of the corporate bucket

In this example, we create a group called WidgetCo that represents the partner company, then create a user for the specific person (or application) at the partner company who needs access, and then put the user in the group.

We then attach a policy that gives the group PutObject access to the following directory in the corporate bucket: my_corporate_bucket/uploads/widgetco.

We also want to prevent the WidgetCo group from doing anything else with the bucket, so we add a statement that denies permission to any Amazon S3 actions except PutObject on any Amazon S3 resource in the AWS account. This is only necessary if there's a broad policy in use elsewhere in your AWS account that gives users wide access to Amazon S3.

{
"Statement":[{
"Effect":"Allow",
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::my_corporate_bucket/uploads/widgetco/*"
},
{
"Effect":"Deny",
"NotAction":"s3:PutObject",
"Resource":["arn:aws:s3:::my_corporate_bucket/uploads/widgetco/*"]
},
{
"Effect":"Deny",
"Action":"s3:*",
"NotResource": ”arn:aws:s3:::my_corporate_bucket/uploads/widgetco/*"
}]
}

您将为每个用户创建一个新身份,并根据需要使用它来控制对子文件夹(前缀)的访问。

关于mobile - 亚马逊 S3 权限,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/8893026/

30 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com