Experiment description:
Task1: Create an IAM user to access a specific bucket
Task2: Through a variable method, a dynamic IAM user accesses a specific folder under a specific bucket (prefix).
Scenes:
1. A user can only upload and download, but cannot update files in the bucket.
2. It is hoped that user A can access the A folder under the bucket, and the B user can access the B folder, and so on. It will be more troublesome to create a policy for each user separately. The good news is that the IAM policy supports variables. We can use the ${aws:username} variable to enable users to only access buckets that are exactly the same as their usernames.
Task1: Create an IAM user to access a specific bucket
In this experiment, we will create an IAM user, so that the user has permission to upload and download objects to a specific S3 bucket, but does not have the right to modify the properties of the object (such as: modify the object storage category, cannot make the object public, etc ).
Operation steps:
First create a bucket, in the AWS console interface, click "Services" in the upper left corner, and select "S3" in the list of all services. On the S3 interface, click "Create Bucket"
Enter the name of the bucket to be created, such as awsdemo2018. Please note: The S3 bucket name is globally unique, which means that if an AWS user uses this bucket name, you will no longer be able to use it. If you encounter the message "The bucket name already exists", please try to enter another bucket name. After the input is complete, click the "Create" button in the lower left corner.
On the AWS console interface, click "Services" in the upper left corner, select "IAM" in the list of all services, and then click users on the IAM interface to see the current users. At the same time, click the "Add User" button, let's add a user first.
In the setting user details interface, enter the user name to be created, such as demo2018, check the access type "Programming Access" and "AWS Management Console Access", the rest are set by default, and then click "Next: Permissions"
In the setting permissions interface, do not perform any operation, just click "Next: Tab", which also means that the user does not have any permissions to access AWS resources, and we will authorize it through a custom policy later.
Click "Next: Review" on the tab page, click "Create User" on the review interface, and record the login address, access key ID, private access key and password in the create user interface (please keep the secret Key and password).
Back to the IAM interface, click "Policy"-"Create Policy", this time we create a policy that allows IAM users to access a specific S3 bucket.
There are two editing methods in the creation strategy interface, one is "visual editor" and the other is JSON. This experiment is easy to operate, you can refer to the bucket strategy below. Later, if you are not particularly familiar with the strategy, but want to create your own bucket strategy, you can create it through the visual editor.
Please select "JSON" this time, delete the information in the JSON edit window, and then copy the following policy to the JSON edit box. At the same time, please change the bucket name marked in red to the bucket name you created earlier.
{
“Version”: “2012-10-17”, “Statement”: [
{
“Sid”: " AllowSpecifyBucket ", “Effect”: “Allow”,
“Action”: [
“s3:PutObject”, “s3:GetObject”, “s3:ListBucket”
], “Resource”: [
“arn:aws-cn:s3:::awsdemo2018/*”, “arn:aws-cn:s3:::awsdemo2018”]
}
]
}
Click "Review policy" in the lower right corner, in the next interface, give the policy a name, such as demo-s3- policy, leave the description blank, and click "Create policy".
After the policy is created, go back to the IAM user interface, select the user created before, and click "Add Permission"
In the authorization interface, click "Attach an existing policy directly", filter the policy, search for the name of the policy you just created, such as "demo-s3-policy", then check the policy, and click "Next: Review"
Click "Add Permission" to complete the addition of permissions.
Now we have created an IAM user, a policy that can upload files and download files to a specific S3 bucket, let's verify whether the policy is working properly.
We need to install the AWS CLI command line tool. AWS CLI is a unified tool for managing AWS services. Installation packages are provided under Windows/Mac/Linux systems. Please click the link below to download: https://aws.amazon.com/cn/cli/ After the
download is complete, open the terminal (Mac/Linux open the terminal Terminal, Windows users open cmd), and then enter aws - in the terminal version Check whether aws is installed normally. If the version of aws can be listed, it means that aws is installed normally.
If the Windows user prompts that the aws command cannot be found after installation, please log out and log in to the Windows system, log in again and try again.
After the installation is complete, we need to configure the AWS CLI command line tool. Please enter the aws configure command to configure. Please enter the "Access Key ID" saved when creating the IAM user in the Access Key field, and then press Enter. Enter "private access key" for Secret Access Key, enter cn-north-1 (Beijing region) or cn-northwest-1 (Ningxia region) for Region name, enter json in Default output format, the example is as follows:
➜ ~ aws configure
AWS Access Key ID [None]: AKIAO5ZXXXXXXXX
AWS Secret Access Key [None]: ZEXxAXQJ+XXXXXXXXXXXXXXXXXXX
Default region name [None]: cn-north-1
Default output format [None]: After the json
configuration is completed, we will You can upload and download files, such as uploading the abc.txt file in the current path to the bucket awsdemo2018:
➜ ~ aws s3 cp abc.txt s3://awsdemo2018/ upload: ./abc.txt to s3://awsdemo2018 /abc.txt ➜~After the
upload is complete, use aws s3 ls s3://awsdemo2018/ to check it out➜
~ aws s3 ls s3://awsdemo2018/ 2018-11-30 14:35:05 0 abc.txt ➜~
if To download abc.txt to the local /tmp/ path, you can still use the cp command:
➜ ~ aws s3 cp s3://awsdemo2018/abc.txt /tmp/ download: s3://awsdemo2018/abc.txt to …/…/tmp/abc.txt ➜~ I
tried to upload the file to another bucket and found Insufficient permissions. This is because the policy bound to the IAM user only allows access to specific buckets, and therefore does not have permission to access other buckets.
➜ ~ aws s3 cp /tmp/file20M s3://xlaws/
upload failed: …/…/tmp/file20M to s3://xlaws/file20M An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied
➜~
Use The IAM user logs in demo2018 to the IAM Console: http://console.amazonaws.cn/console, and then clicks "Service"-"S3", we will find that the bucket we want to access cannot be listed on the IAM Console. This is because When the policy was created before, the user s3: ListAllMyBuckets permission was not granted.
We use the administrator user to log in to the IAM Console, modify the policy demo-s3- policy of the IAM user demo2018, and add s3:ListAllMyBuckets to the policy
{
“Version”: “2012-10-17”, “Statement”: [
{
“Sid”: “AllowSpecifyBucket”, “Effect”: “Allow”,
“Action”: [
“s3:PutObject”, “s3:GetObject”, “s3:ListBucket”
],
“Resource”: [
“arn:aws-cn:s3:::awsdemo2018/*”,
“arn:aws-cn:s3:::awsdemo2018” ]
},{
“Sid”: “AllowListAllBuckets”, “Effect”: “Allow”,
“Action”: “s3:ListAllMyBuckets”, “Resource”: “*”
}
]
}
After saving the policy, log out the current administrator user in the AWS Console, and log in with the demo2018 user originally created. After logging in, visit the S3 Console again, and we can see that all buckets are listed, but currently only the awsdemo2018 Operations are performed on a specific bucket. Although other buckets can see it, they cannot access the contents. Enter the awsdemo2018 bucket (the bucket you created at the beginning of this experiment), and then right-click on a file created previously-public, and make the file public. At this time, you will find that the publicization fails.
Task2: Through variables, dynamic IAM users access a specific folder (prefix) under a specific bucket.
In some specific scenarios, we want user A to access the A folder under the bucket, and user B to access the B folder, and so on. It would be more troublesome to create a policy for each user separately. The good news is that the IAM policy supports variables. We can use the aws: username variable to enable users to only access buckets that are exactly the same as their username. Let's verify it: Modify the previously created IAM policy demo − s 3 − policy as follows. It should be noted that we have modified Resource and the specified resource is the {aws:username} variable under the bucket so that the user can only access To the bucket that exactly matches the username. Let's verify it below: Modify the previously created IAM policy demo-s3-policy as follows, it should be noted that we have modified the Resource, and the specified resource is under the bucketaws:U S E R & lt n- A m E variable amount to enable a user only can access asked to and a user name completely full one actuator of memory storage tub . Under the surface I have to verify license a lower:Revised modified first before creating construction of the I A M policy strategy D E m O−s 3−P O L I C Y as lower , required to note meaning of that I have revised change the R & lt E S O U R & lt C E , refers to a set of resources source of memory storage tub under the {aws: username} folder.
{
“Version”: “2012-10-17”, “Statement”: [
{
“Sid”: “AllowSpecifyBucket”, “Effect”: “Allow”,
“Action”: [
“s3:PutObject”,“S3: GetObject”,
“s3: ListBucket”],
“Resource”: [“arn: aws-cn: s3 ::: awsdemo2018 / $ {aws: username} / *”,
“arn: aws-cn: s3: :: awsdemo2018 ”]
},} }] }
Then we create a demo2019 user in the IAM user interface and assign the same policy. Then use demo2018 and demo2019 users to upload a file to s3, we will find that demo2018 users can only upload objects to the demo2018 folder, and demo2019 users can only upload objects to the demo2019 folder:
➜ ~ aws s3 cp hello.mp3 s3://awsdemo2018/demo2018/
upload: ./hello.mp3 to s3://awsdemo2018/demo2018/hello.mp3
➜ ~ aws s3 cp hello.mp3 s3://awsdemo2018/demo2019/
upload failed: ./hello.mp3 to s3://awsdemo2018/demo2019/hello.mp3 An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
➜~
in conclusion:
From this experiment, we created a bucket policy and only allowed users to upload and download objects in a specific bucket. The policy cannot modify the permissions of the objects, nor can it delete the objects in the bucket. Later, we modified the policy of IAM users to allow users to list other buckets on the AWS web console, but still cannot operate other buckets. In our own production environment, we can create a strategy that suits our needs according to our needs, such as only allowing users to upload, only allowing users to access AWS S3 under a specific IP address, or only within a certain VPC S3. In addition to upload and download permissions, IAM also has some more fine-grained management of S3 policies. When creating a policy, you can view the policy details through the "visual editor" and create your own detailed policy.
This experiment only uses access to the S3 bucket as an example. You can also create policies for other services, such as allowing only IAM users to switch on and off an EC2 instance, and controlling permissions based on tags.
Refer to the detailed IAM video tutorial: https://edu.51cto.com/center/course/lesson/index?id=533838