admin管理员组文章数量:1290981
I have an IAM role which grants permission to list objects only in some prefixes in my bucket. Listing is done directory-style, hence the delimiter/prefix conditions.
{
"Effect": "Allow",
"Action": [ "s3:ListBucket" ],
"Resource": [ "arn:aws:s3:::my-bucket" ],
"Condition": {
"StringEquals": {
"s3:prefix": [ <<ALLOWED-PREFIXES>> ],
"s3:delimiter": [ "/" ]
}
}
The role also needs to have permission to call the HeadBucket API.
Both ListObjectsV2 and HeadBucket require the s3:ListBucket permission. However, the above policy is causing a Forbidden response when calling HeadBucket. I had hoped to find some condition key such that I can add a statement allowing HeadBucket to succeed while maintaining restricted prefix access - eg aws:http-method=HEAD or s3:operation=head-bucket. However, that doesn't seem to exist.
Converting the StringEquals condition to StringEqualsIfExists nearly does the trick, though now you can call list-objects-v2 without args and list the entire contents of the bucket.
Is there some combination of statements with/without conditions which might allow this? Or is it just the desired/expected behavior from S3 HeadObject since the role does not have FULL access to the bucket?
本文标签:
版权声明:本文标题:amazon web services - How to allow S3 HeadBucket without granting unrestricted access to list objects? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741507966a2382435.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论