S3的一个好用的功能是能设置为类似SFTP的共享文件夹让用户上传数据,由于S3不是一部机器而是云原生服务,因此在维护上非常简单,而且价钱便宜,非常适合于大量文件保存和共享。
设置的难点在于policy的设定,以下是步骤。
- 进入IAM设置policy
具体策略如下,按需要修改
整个bucket full权限
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "S3:*",
"Resource": "arn:aws:s3:::BUCKET/*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::BUCKET",
"Condition": {}
}
]
}只允许bucket下某个文件夹full权限
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Resource": "arn:aws:s3:::BUCKET",
"Condition": {
"StringLike": {
"s3:prefix": "FOLDER/*"
}
}
},
{
"Effect": "Allow",
"Action": "s3:*" ,
"Resource": "arn:aws:s3:::BUCKET/FOLDER/*",
"Condition": {}
}
]
}给予存储桶只读权限
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "S3:ListBucket",
"Resource": "arn:aws:s3:::bucket name",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket name/*",
"Condition": {}
}
]
}只允许只读访问存储桶下某个指定文件夹
{
"Version": "2012-10-17",
"Statement" : [{
"Sid" : "GiveSimpleListAccessToSharedFolder",
"Effect" : "Allow",
"Action" : "s3:ListBucket",
"Resource" : "arn:aws:s3:::BUCKET",
"Condition" : {
"StringLike" : {
"s3:prefix": "FOLDER/*"
}
}
},
{
"Sid" : "GiveReadAccessToSharedFolder",
"Effect" : "Allow",
"Action" : "s3:GetObject",
"Resource" : "arn:aws:s3:::BUCKET/FOLDER/*"
}]
}-
添加policy后,命名,然后保存
-
返回IAM,点Group,添加组
4. 设置与policy一样的名字,便于识别
-
将之前创建的policy添加到这个组上,等于设定后续用户加入这个组所拥有的用户访问S3的权限
-
完成后可以开始创建添加用户,返回IAM,点用户
-
勾选编程访问
-
添加用户到对应权限组
完成后即可通过S3客户端,例如Cloudberry, Cyberduck访问,把产生的用户IAM key添加到软件即可,如下是Cloudberry界面截图,跟SFTP访问文件夹类似
注意的点,对于中国区S3 policy的权限设定,与外国区有点区别,具体policy如下。如果客户端需要填写S3 server地址,用这个:s3.cn-north-1.amazonaws.com.cn
存储桶full权限
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListBucketIfSpecificPrefixIsIncludedInRequest",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws-cn:s3:::bucket"
],
"Condition": {}
},
{
"Sid": "AllowUserToReadWriteObjectDataInDevelopmentFolder",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws-cn:s3:::bucket/*"
]
}
]
}full权限,但是没有删除权限
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListBucketIfSpecificPrefixIsIncludedInRequest",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws-cn:s3:::BUCKET"
],
"Condition": {
"StringLike": {
"s3:prefix": "FOLDER/*"
}
}
},
{
"Sid": "AllowUserToReadWriteObjectDataInDevelopmentFolder",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws-cn:s3:::BUCKET/FOLDER/*"
]
}
]
}