试图使用AWS CLI下拉S3存储桶的内容,我得到以下内容:
aws s3 cp --region us-east-1 s3://s3.amazonaws.com/my-bucket . --recursive A client error (AccessDenied) occurred when calling the ListObjects operation: Access Denied Completed 1 part(s) with ... file(s) remaining 使用aws s3 sync同样失败。
用户策略是:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": ["arn:aws:s3:::*"] } ] }
(我也试过各种限制性较弱的政策,但无济于事)。
我试过一个空的桶策略,也是这个桶策略:
{ "Id": "Policy1357935677554", "Statement": [ { "Sid": "Stmt1357935647218", "Action": [ "*" ], "Effect": "Allow", "Resource": "arn:aws:s3:::my-bucket", "Principal": { "AWS": [ "arn:aws:iam::XXXXXXXXXX:user/my-user" ] } }, { "Sid": "Stmt1357935676138", "Action": [ "*" ], "Effect": "Allow", "Resource": "arn:aws:s3:::my-bucket/*", "Principal": { "AWS": [ "arn:aws:iam::XXXXXXXXXX:user/my-user" ] } } ] }
有趣的是,这确实有效:
aws s3api list-objects --region us-east-1 --bucket my-bucket
指定s3位置的格式是s3://bucket/key所以你可以使用s3://my-bucket/而不是s3://s3.amazonaws.com/my-bucket 。