编程语言
首页 > 编程语言> > python – Boto 403 AccessDenied异常与IAM用户凭据,在Cyber​​duck和AWS Web控制台中工作

python – Boto 403 AccessDenied异常与IAM用户凭据,在Cyber​​duck和AWS Web控制台中工作

作者:互联网

我在stackoverflow上发现了很多关于这方面的问题,但没有解决我的问题.经过大量的谷歌搜索仍然我面临AccessDenied异常:

<Error>
<Code>AccessDenied</Code>
</Message><RequestId>ADF9C0DE6C86DF4F</RequestId>
<HostId>JwQLkNB0LuJvh0jwrsJe9wazxLsd+hrZ2qwvjCvmXYd2A/ckCrsotRMHm</HostId>
</Error>

以下是我的用户和组的政策文档:

用户政策:

{
"Statement":[
  {
     "Sid":"AllowListBucketIfSpecificPrefixIsIncludedInRequest",
     "Action":"s3:*",
     "Effect":"Allow",
     "Resource":["arn:aws:s3::: mybucket", "arn:aws:s3:::mybucket/*"],
     "Condition":{
        "StringLike":{"s3:prefix":["Development/*"]
        }
     }
  },
  {
    "Sid":"AllowUserToReadWriteObjectDataInDevelopmentFolder", 
    "Action":"s3:*",
    "Effect":"Allow",
    "Resource":["arn:aws:s3::: mybucket/Development/*"]
  },
  {
     "Sid": "ExplicitlyDenyAnyRequestsForAllOtherFoldersExceptDevelopment",
     "Action": ["s3:ListBucket"],
     "Effect": "Deny",
     "Resource": ["arn:aws:s3::: mybucket", "arn:aws:s3::: mybucket/*"],
     "Condition":{  "StringNotLike": {"s3:prefix":["Development/*"] },
                    "Null"         : {"s3:prefix":false }
      }
  }
]
}

组策略:

{
"Statement": [
{
  "Sid": "AllowGroupToSeeBucketListAndAlsoAllowGetBucketLocationRequiredForListBucket",
  "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
  "Effect": "Allow",
  "Resource": ["arn:aws:s3:::*"]
},
{
  "Sid": "AllowRootLevelListingOfCompanyBucket",
  "Action": ["s3:ListBucket"],
  "Effect": "Allow",
  "Resource": ["arn:aws:s3::: mybucket", "arn:aws:s3::: mybucket/*"],
  "Condition":{
      "StringEquals":{"s3:prefix":[""]}
   }
},
{
  "Sid": "RequireFolderStyleList",
  "Action": ["s3:ListBucket"],
  "Effect": "Deny",
  "Resource": ["arn:aws:s3:::*"],
  "Condition":{
      "StringNotEquals":{"s3:delimiter":"/"}
   }
 },
{
  "Sid": "ExplictDenyAccessToPrivateFolderToEveryoneInTheGroup",
  "Action": ["s3:*"],
  "Effect": "Deny",
  "Resource":["arn:aws:s3:::mybucket/Private/*"]
},
{
  "Sid": "DenyListBucketOnPrivateFolder",
  "Action": ["s3:ListBucket"],
  "Effect": "Deny",
  "Resource": ["arn:aws:s3:::*"],
  "Condition":{
      "StringLike":{"s3:prefix":["Private/"]}
   }
}
]
}

使用用户名 – testuser创建了一个用户
然后获得此IAM用户的access_key和secret_access_key.
现在我可以使用aws web控制台和cyberduck访问mybucket及其子文件夹.

但每当我尝试使用boto访问时,获取AccessDenied异常(错误403).

博托码:

<!-- language: python -->
from boto.s3.connection import S3Connection
connect = S3Connection('_______________________','_____________________')
# Without Validate
bucket = conn.get_bucket('mybucket', validate=False) #here got bucket object
bucket.get_key('one/two/three.png') # AccessDenied


#With Validate
bucket = conn.get_bucket('mybucket') #AccessDenied

当我尝试使用boto-rsync时,即使我遇到同样的问题.

有什么建议 ??

解决方法:

错误403表示拒绝访问,因此存在身份验证问题.要分析API调用和响应,可以使用以下行:

boto.set_stream_logger('boto')

我注意到的一些观点:

>组和用户规则没问题,删除了“mybucket”前面的前导空格
>第一个目录名是“开发”而不是“一个”
>“无验证”表示直接访问文件

以下代码工作正常:

import boto
conn = boto.connect_s3("id","secret")
bucket = conn.get_bucket('mybucket', validate=False)
bucket.get_key('Development/two/three.png')
# <Key: mybucket,Development/two/three.png>

但我是IAM的新手,似乎“With Validate”首先尝试读取“/ mybucket /”,但是它被拒绝通过用户策略ExplicitlyDenyAnyRequestsForAllOtherFoldersExceptDevelopment.

编辑评论“访问开发中的所有键”试试这个::

list = bucket.list("Development/",delimiter="/")
for key in list:
    print key.name

标签:python,amazon-s3,amazon-iam,boto
来源: https://codeday.me/bug/20190831/1774155.html