s3 no sign request didn't work

0

I use aws s3 --no-sign-request --region us-west-2 ls s3://aws-cloudtrail-logs-01-*******, An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied. but aws s3 ls working. why?

2 Antworten
1

AWS has the ability to generate a policy based on CloudTrail logs, which you obviously are using. See the following documentation on how to use that. https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html Hope this helps.

(Should have posted this as an answer. Sorry.)

beantwortet vor 3 Jahren
0

Do you have the bucket configured for public read access? The --no-sign-request is doing just that, not using credentials to sign the request. This means that the bucket and/or its objects need to be configured to allow public access. There are a number of ways to do this as described in this AWS Support post How can I grant public read access to some objects in my Amazon S3 bucket?.

I must add that AWS strongly discourages making buckets public except in some specific use-cases such as setting permissions for website access.

For your example you would need to

  1. Disable block public access settings for your bucket.
  2. Add a bucket policy like:
{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"PublicObjectRead",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject","s3:GetObjectVersion"],
      "Resource":["arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"]
    },
   {
      "Sid":"PublicBucketList",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:ListBucket"],
      "Resource":["arn:aws:s3:::DOC-EXAMPLE-BUCKET"]
    }
   ]
}

Note that s3:ListBucket is the IAM permission needed to call the S3 API function ListObjectsV2

This will allow listing the contents of the bucket.

$ aws s3 ls s3://DOC-EXAMPLE-BUCKET

and reading all objects from the bucket:

$ aws s3 cp s3://DOC-EXAMPLE-BUCKET/someobject ./someobject
AWS
Scott_K
beantwortet vor 3 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen