整理一些策略,方便使用
参考配置
- 获取删除上传下载
{"Version": "2012-10-17",
"Statement": [
{"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<bucket>/*"
]
}
]
}
方便数据分析使用的
比如dremio 查询s3的,同时配置了DeleteObject以及PutObject 方便数据维护操作
{"Version": "2012-10-17",
"Statement": [
{"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<bucket>/*"
]
}
]
}
console 管理的
来自官方
{"Version": "2012-10-17",
"Statement": [
{"Effect": "Allow",
"Action": [
"admin:*"
]
},
{"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
只读的
来自官方,当然对于resource 自己加工下就可以控制特定bucket 了
{"Version": "2012-10-17",
"Statement": [
{"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
读写的
来自官方,当然对于resource 自己加工下就可以控制特定bucket 了
{"Version": "2012-10-17",
"Statement": [
{"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
支持诊断的
来自官方
{"Version": "2012-10-17",
"Statement": [
{"Effect": "Allow",
"Action": [
"admin:ConsoleLog",
"admin:OBDInfo",
"admin:Profiling",
"admin:Prometheus",
"admin:ServerInfo",
"admin:ServerTrace",
"admin:TopLocksInfo",
"admin:BandwidthMonitor"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
说明
以上是一些简单的策略,主要是一个记录,方便使用,iam 策略很多时候需要结合多种进行组合才能有自己期望的效果,可以看看官方文档了解提供的说明
joining组合配置
参考资料
https://docs.aws.amazon.com/iam/index.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html
https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management.html
https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management/policy-based-access-control.html
