I have an S3 Bucket that I am attempting to Upload files into with a C# solution using TransferUtility().UploadAsync().
The Bucket is marked "Block all Pubic Access".
In the IAM User account, the upload will succeed if I grant full admin access with the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } But I do not want to grant full admin. So I attempted to create a policy with only the minimal access required. No amount of trying that worked. So, I used the visual policy editor and granted every possible access there was, resulting in the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucket", "s3:DeleteObject", "s3:GetBucketLocation", "s3:GetBucketPolicy" ], "Resource": [ "arn:aws:s3:::oai.MyBucket/*", "arn:aws:s3:::oai.MyBucket" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:PutAnalyticsConfiguration", "s3:GetObjectVersionTagging", "s3:CreateBucket", "s3:ReplicateObject", "s3:GetObjectAcl", "s3:GetBucketObjectLockConfiguration", "s3:DeleteBucketWebsite", "s3:GetIntelligentTieringConfiguration", "s3:PutLifecycleConfiguration", "s3:GetObjectVersionAcl", "s3:DeleteObject", "s3:GetBucketPolicyStatus", "s3:GetObjectRetention", "s3:GetBucketWebsite", "s3:PutReplicationConfiguration", "s3:PutObjectLegalHold", "s3:GetObjectLegalHold", "s3:GetBucketNotification", "s3:PutBucketCORS", "s3:GetReplicationConfiguration", "s3:ListMultipartUploadParts", "s3:PutObject", "s3:GetObject", "s3:PutBucketNotification", "s3:PutBucketLogging", "s3:GetAnalyticsConfiguration", "s3:PutBucketObjectLockConfiguration", "s3:GetObjectVersionForReplication", "s3:GetLifecycleConfiguration", "s3:GetInventoryConfiguration", "s3:GetBucketTagging", "s3:PutAccelerateConfiguration", "s3:DeleteObjectVersion", "s3:GetBucketLogging", "s3:ListBucketVersions", "s3:RestoreObject", "s3:ListBucket", "s3:GetAccelerateConfiguration", "s3:GetBucketPolicy", "s3:PutEncryptionConfiguration", "s3:GetEncryptionConfiguration", "s3:GetObjectVersionTorrent", "s3:AbortMultipartUpload", "s3:GetBucketRequestPayment", "s3:DeleteBucketOwnershipControls", "s3:GetObjectTagging", "s3:GetMetricsConfiguration", "s3:GetBucketOwnershipControls", "s3:DeleteBucket", "s3:PutBucketVersioning", "s3:GetBucketPublicAccessBlock", "s3:ListBucketMultipartUploads", "s3:PutIntelligentTieringConfiguration", "s3:PutMetricsConfiguration", "s3:PutBucketOwnershipControls", "s3:GetBucketVersioning", "s3:GetBucketAcl", "s3:PutInventoryConfiguration", "s3:GetObjectTorrent", "s3:PutBucketWebsite", "s3:PutBucketRequestPayment", "s3:PutObjectRetention", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:ReplicateDelete", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::oai.MyBucket/*", "arn:aws:s3:::oai.MyBucket" ] }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "s3:ListStorageLensConfigurations", "s3:GetAccessPoint", "s3:GetAccountPublicAccessBlock", "s3:ListAllMyBuckets", "s3:ListAccessPoints", "s3:ListJobs", "s3:PutStorageLensConfiguration", "s3:CreateJob" ], "Resource": [ "arn:aws:s3:::oai.MyBucket/*", "arn:aws:s3:::oai.MyBucket" ] } ] } And even THAT didn't work.
It will only work with the Full Admin Access Policy.
It works with the Full Admin policy, even if I leave my custom policy also applied. In other words, I do not remove MY custom policy and add Full Admin. I just add Full Admin to my policy, and it works.
Any suggestions?
https://stackoverflow.com/questions/65820612/c-sharp-aws-s3-transferutility-uploadasync-wont-work-without-full-admin-acc January 21, 2021 at 11:05AM
没有评论:
发表评论