将S3设置为类SFTP服务用于数据上传

S3的一个好用的功能是能设置为类似SFTP的共享文件夹让用户上传数据，而已由于S3不是一部机器而是云原生服务，因此在维护上非常简单，而已价钱便宜，非常适合于大量文件保存和共享。

设置的难点在于policy的设定，以下是步骤。

进入IAM设置policy

具体策略如下，按需要修改

整个bucket full权限

{  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Action": "S3:*",      "Resource": "arn:aws:s3:::BUCKET/*",      "Condition": {}    },    {      "Effect": "Allow",      "Action": [        "s3:ListBucket"      ],      "Resource": "arn:aws:s3:::BUCKET",      "Condition": {}    }  ]}

只允许bucket下某个文件夹full权限

{  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Action": [         "s3:ListBucket",         "s3:ListBucketMultipartUploads",         "s3:ListBucketVersions"       ],      "Resource": "arn:aws:s3:::BUCKET",      "Condition": {        "StringLike": {          "s3:prefix": "FOLDER/*"        }      }    },    {      "Effect": "Allow",      "Action":  "s3:*" ,      "Resource": "arn:aws:s3:::BUCKET/FOLDER/*",      "Condition": {}    }  ]}

给予存储桶只读权限

{    "Version": "2012-10-17",    "Statement": [        {            "Effect": "Allow",            "Action": "S3:ListBucket",            "Resource": "arn:aws:s3:::bucket name",            "Condition": {}        },        {            "Effect": "Allow",            "Action": "s3:GetObject",            "Resource": "arn:aws:s3:::bucket name/*",            "Condition": {}        }    ]}

只允许只读访问存储桶下某个指定文件夹

{  "Version": "2012-10-17",  "Statement" : [{    "Sid" : "GiveSimpleListAccessToSharedFolder",    "Effect" : "Allow",    "Action" : "s3:ListBucket",    "Resource" : "arn:aws:s3:::BUCKET",    "Condition" : {        "StringLike" : {       "s3:prefix": "FOLDER/*"        }    }  },  {    "Sid" : "GiveReadAccessToSharedFolder",    "Effect" : "Allow",    "Action" : "s3:GetObject",    "Resource" : "arn:aws:s3:::BUCKET/FOLDER/*"  }]}

2. 添加policy后，命名，然后保存

3. 返回IAM，点Group，添加组，

4. 设置与policy一样的名字，便于识别

5. 将之前创建的policy添加到这个组上，等于设定后续用户加入这个组所拥有的用户访问S3的权限

6. 完成后可以开始创建添加用户，返回IAM，点用户

7. 勾选编程访问

8. 添加用户到对应权限组

完成后即可通过S3客户端，例如Cloudberry, Cyberduck访问，把产生的用户IAM key添加到软件即可，如下是Cloudberry界面截图，跟SFTP访问文件夹类似

注意的点，对于中国区S3 policy的权限设定，与外国区有点区别，具体policy如下。如果客户端需要填写S3 server地址，用这个：s3.cn-north-1.amazonaws.com.cn

存储桶full权限

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "AllowListBucketIfSpecificPrefixIsIncludedInRequest",            "Action": [                "s3:ListBucket",                "s3:GetBucketLocation"            ],            "Effect": "Allow",            "Resource": [                "arn:aws-cn:s3:::bucket"            ],            "Condition": {}        },        {            "Sid": "AllowUserToReadWriteObjectDataInDevelopmentFolder",            "Action": [                "s3:GetObject",                "s3:PutObject"            ],            "Effect": "Allow",            "Resource": [                "arn:aws-cn:s3:::bucket/*"            ]        }    ]}

full权限，但是没有删除权限

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "AllowListBucketIfSpecificPrefixIsIncludedInRequest",            "Action": [                "s3:ListBucket",                "s3:GetBucketLocation"            ],            "Effect": "Allow",            "Resource": [                "arn:aws-cn:s3:::BUCKET"            ],            "Condition": {                "StringLike": {                    "s3:prefix": "FOLDER/*"                }            }        },        {            "Sid": "AllowUserToReadWriteObjectDataInDevelopmentFolder",            "Action": [                "s3:GetObject",                "s3:PutObject"            ],            "Effect": "Allow",            "Resource": [                "arn:aws-cn:s3:::BUCKET/FOLDER/*"            ]        }    ]}

如果文章对你有帮助，请赞赏

赞赏

0人进行了赞赏支持

如果文章对你有帮助，请赞赏

更多相关文章

随机推荐