我尝试上传到s3,当我看到来自s3存储桶日志的日志时,这就是它所说的:
mybucket-me [17/Oct/2013:08:18:57 +0000] 120.28.112.39
arn:aws:sts::778671367984:federated-user/[email protected] BB3AA9C408C0D26F
REST.POST.BUCKET avatars/dean%2540player.com/4.png "POST / HTTP/1.1" 403
AccessDenied 231 - 132 - "http://localhost:8080/ajaxupload/test.html" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.52 Safari/537.17" -
我拒绝了访问权限。从它指向的地方我认为我唯一遗漏的是添加存储桶策略。所以这里。
使用我的电子邮件,我可以登录我的应用程序并上传头像。我想要放置我的头像的桶名称是mybucket-me,并且它有一个名为avatars的子桶。
-mybucket-me
-avatars
[email protected] //dynamic based on who are logged in
-myavatar.png //image uploaded
如何添加存储桶策略,以便我可以授予联盟,例如我在s3中上传或者我将在我的存储桶策略中添加的正确语句,以便它可以授予我上传到我们存储桶的权限?
您可以将以下策略附加到存储桶:
{
"Version": "2008-10-17",
"Id": "Policy1358656005371",
"Statement": [
{
"Sid": "Stmt1354655992561",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:sts::778671367984:federated-user/[email protected]"
]
},
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::my.bucket",
"arn:aws:s3:::my.bucket/*"
]
}
]
}
授予联合用户[email protected]对'my.bucket'的只读权限。
此策略不易维护,因为它特别为此用户命名。要以更具伸缩性的方式仅访问某些联合用户,最好在调用GetFederationToken时执行此操作。如果您发布STS代码,我可以帮助您在那里分配策略,但它与上面的内容非常相似。
要上传到S3存储桶,您需要添加/创建IAM /组策略,例如:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::test"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::test/*"]
}
]
}
其中arn:aws:s3:::test
是您的亚马逊资源名称(ARN)。
资料来源:Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket
有关:
你现在要么必须:
acl: 'private'
Node.js中的示例:
const upload = multer({
storage: multerS3({
s3: s3,
bucket: 'moodboard-img',
acl: 'private',
metadata: function (req, file, cb) {
cb(null, {fieldName: file.fieldname});
},
key: function (req, file, cb) {
cb(null, Date.now().toString())
}
})
})