將AWS S3 bucket掛載為檔案系統磁碟需要的IAM identity policy如下。
允許S3 action:ListBucket
、GetObject
、PutObject
和DeleteObject
;可存取的資源Resource
為S3 bucket和下面的所有Objects。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MountS3Bucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"<S3_ARN>",
"<S3_ARN>/*"
]
}
]
}
例如要掛載的bucket名稱為bucket-202404241830-001
的ARN為arn:aws:s3:::bucket-202404241830-001
,則policy設定如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MountS3Bucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
],
"Resource": [
"arn:aws:s3:::bucket-202404241830-001",
"arn:aws:s3:::bucket-202404241830-001/*"
]
}
]
}
沒有留言:
張貼留言