- 最新
- 最多得票
- 最多評論
I do not agree with @jschwar313 and @skinsman. The policy looks OK. (apart from the '*' being removed from your question in 2 places)
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowS3ReadAccess", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::091896477544:role/S3DynamoDBFullAccessRole" }, "Action": "s3:*", "Resource": [ "arn:aws:s3:::employee-photo-bucket-al1", "arn:aws:s3:::employee-photo-bucket-al1/*" ] } ] }
In the example above I have put back the '*' characters in the right spots.
Now two other thing need to be in order for the BucketPolicy to work.
BucketName
The name of the bucket you are applying the policy to must be employee-photo-bucket-al1.
Role reference
Applying the BucketPolicy will only succeed if the role actually exists.
S3DynamoDBFullAccessRole seems to be a role that you created. You can lookup the role in the IAM Console and use the copy button near the arn.
There can be several reasons for the url not being correct but most likely there is a path included in the arn like in this:
arn:aws:iam::123456789012:role/service-role/S3DynamoDBFullAccessRole
Regards Jacco
You can't use a Principal element in an IAM policy. See this document:
and this one:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
What I did to find those documents was to use the visual editor to create the policy using the JSON provided. AWS responded with an error and the documents I posted. Maybe you can do the same.
相關內容
- 已提問 1 年前
AWS 官方已更新 2 年前
Will Check The idea is that I copied the code from AWS Cloud Technical Essentials course in Cousera, and followed the exact instruction, but it's very depressing to find such mistakes https://aws-tc-largeobjects.s3-us-west-2.amazonaws.com/DEV-AWS-MO-GCNv2/exercise-5-storage.html
I can imagine. I hate those copy paste trainings.