我有一个装满内容的桶,大部分都是公开的.但是,有一个文件夹(也称为"前缀")只能由经过身份验证的IAM用户访问.
{ "Statement": [ { "Sid": "AllowIAMUser", "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::bucket/prefix1/prefix2/private/*", "Principal": { "AWS": [ "arn:aws:iam::123456789012:user/bobbydroptables" ] } }, { "Sid": "AllowAccessToAllExceptPrivate", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Effect": "Allow", "Resource": "arn:aws:s3:::bucket/*", "Condition": { "StringNotLike": { "s3:prefix": "prefix1/prefix2/private/" } }, "Principal": { "AWS": [ "*" ] } } ] }
当我尝试保存此策略时,我从AWS收到以下错误消息:
Conditions do not apply to combination of actions and resources in statement - Condition "s3:prefix" and action "s3:GetObject" in statement "AllowAccessToAllExceptPrivate"
显然,此错误特别适用于第二个语句.是否无法在"s3:GetObject"操作中使用"s3:prefix"条件?
是否可以获取公共存储桶的一部分并使其仅对经过身份验证的用户可访问?
如果重要,只能通过api以只读方式访问此存储桶.
此问题类似于仅适用于公共限制的Amazon S3存储桶策略,但我尝试采用不同的方法来解决问题.