我可以使用 cyberduck 或 filezilla 登入我的伺服器,但無法讀取我的主目錄。 s3 儲存桶"mybucket"存在。在網路鴨子中我看到
"Cannot readdir on root. Please contact your web hosting service provider for assistance." and in Filezilla "Error: Reading directory .: permission denied"
即使我可以連接到伺服器。
我是否缺少一些策略中的使用者權限以下 ?
這些是我的權限
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::MYBUCKET"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::MYBUCKET/*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "transfer:*",
"Resource": "*"
}
]
}
這些是我的信任關係:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "transfer.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
答案1
使用者角色應該是:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET_NAME"
]
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::BUCKET_NAME/*"
}
]
}
使用者信任關係:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "transfer.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
您的使用者的主目錄應為 /BUCKET_NAME
答案2
我對此有疑問,直到我特別添加了s3:GetObject對該aws_transfer_user策略的許可。我以為s3:ListBucket已經足夠了,但事實並非如此。sftp> ls在我擁有 GetObject 之前會失敗。
這是它的 Terraform:
resource "aws_transfer_user" "example-ftp-user" {
count = length(var.uploader_users)
user_name = var.uploader_users[count.index].username
server_id = aws_transfer_server.example-transfer.id
role = aws_iam_role.sftp_content_incoming.arn
home_directory_type = "LOGICAL"
home_directory_mappings {
entry = "/"
target = "/my-bucket/$${Transfer:UserName}"
}
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSftpUserAccessToS3",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion",
"s3:GetBucketLocation"
],
"Resource": [
"${aws_s3_bucket.bucket.arn}/${var.uploader_users[count.index].username}",
"${aws_s3_bucket.bucket.arn}/${var.uploader_users[count.index].username}/*"
]
}
]
}
POLICY
}
我在.tfvars文件中定義使用者;例如:
uploader_users = [
{
username = "firstuser"
public_key = "ssh-rsa ...."
},
{
username = "seconduser"
public_key = "ssh-rsa ..."
},
{
username = "thirduser"
public_key = "ssh-rsa ..."
}
]
我希望這可以幫助別人。在我最終讓這項工作發揮作用之前,我花了很多功夫,而且我不能 100% 確定與其他政策的相互作用最終可能會發揮作用。但應用此後,我可以連接並列出儲存桶內容,而不會收到「權限被拒絕」的訊息。