s3 no sign request didn't work

0

I use aws s3 --no-sign-request --region us-west-2 ls s3://aws-cloudtrail-logs-01-*******, An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied. but aws s3 ls working. why?

preguntada hace 3 años3094 visualizaciones
2 Respuestas
1

AWS has the ability to generate a policy based on CloudTrail logs, which you obviously are using. See the following documentation on how to use that. https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html Hope this helps.

(Should have posted this as an answer. Sorry.)

respondido hace 3 años
0

Do you have the bucket configured for public read access? The --no-sign-request is doing just that, not using credentials to sign the request. This means that the bucket and/or its objects need to be configured to allow public access. There are a number of ways to do this as described in this AWS Support post How can I grant public read access to some objects in my Amazon S3 bucket?.

I must add that AWS strongly discourages making buckets public except in some specific use-cases such as setting permissions for website access.

For your example you would need to

  1. Disable block public access settings for your bucket.
  2. Add a bucket policy like:
{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"PublicObjectRead",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject","s3:GetObjectVersion"],
      "Resource":["arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"]
    },
   {
      "Sid":"PublicBucketList",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:ListBucket"],
      "Resource":["arn:aws:s3:::DOC-EXAMPLE-BUCKET"]
    }
   ]
}

Note that s3:ListBucket is the IAM permission needed to call the S3 API function ListObjectsV2

This will allow listing the contents of the bucket.

$ aws s3 ls s3://DOC-EXAMPLE-BUCKET

and reading all objects from the bucket:

$ aws s3 cp s3://DOC-EXAMPLE-BUCKET/someobject ./someobject
AWS
Scott_K
respondido hace 3 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas