使用 S3 访问权限管控提供的凭证访问 S3 数据 - Amazon Simple Storage Service
S3 访问权限管控中支持的 S3 操作

使用 S3 访问权限管控提供的凭证访问 S3 数据

在被授权者通过其访问授权获得临时凭证后,他们可以使用这些临时凭证来调用 Amazon S3 API 操作以访问您的数据。

被授权者可以使用 AWS Command Line Interface(AWS CLI)、AWS SDK 和 Amazon S3 REST API 来访问 S3 数据。此外,可以使用 AWS PythonJava 插件来调用 S3 访问权限管控

在被授权者从 S3 Access Grants 获得临时凭证后,他们可以使用这些凭证设置配置文件来检索数据。

要安装 AWS CLI,请参阅 AWS Command Line Interface 用户指南中的安装 AWS CLI

要使用以下示例命令,请将 user input placeholders 替换为您自己的信息。

例– 设置配置文件
aws configure set aws_access_key_id "$accessKey" --profile access-grants-consumer-access-profile
aws configure set aws_secret_access_key "$secretKey" --profile access-grants-consumer-access-profile
aws configure set aws_session_token "$sessionToken" --profile access-grants-consumer-access-profile

要使用以下示例命令,请将 user input placeholders 替换为您自己的信息。

例– 获取 S3 数据

被授权者可以使用 get-object AWS CLI 命令来访问数据。被授权者还可以使用 put-objectls 和其它 S3 AWS CLI 命令。

aws s3api get-object \
--bucket amzn-s3-demo-bucket1 \
--key myprefix \
--region us-east-2 \
--profile access-grants-consumer-access-profile

此部分中的示例说明被授权者如何使用 AWS SDK 访问 S3 数据。

Java

以下 Java 代码示例从 S3 存储桶中获取对象。有关创建和测试有效示例的说明,请参阅《适用于 Java 的 AWS SDK 开发人员指南》中的 Getting Started


import com.amazonaws.AmazonServiceException;
import com.amazonaws.SdkClientException;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
import com.amazonaws.services.s3.model.GetObjectRequest;
import com.amazonaws.services.s3.model.ResponseHeaderOverrides;
import com.amazonaws.services.s3.model.S3Object;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;

public class GetObject2 {

    public static void main(String[] args) throws IOException {
        Regions clientRegion = Regions.DEFAULT_REGION;
        String bucketName = "*** Bucket name ***";
        String key = "*** Object key ***";

        S3Object fullObject = null, objectPortion = null, headerOverrideObject = null;
        try {
            AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
                    .withRegion(clientRegion)
                    .withCredentials(new ProfileCredentialsProvider())
                    .build();

            // Get an object and print its contents.
            System.out.println("Downloading an object");
            fullObject = s3Client.getObject(new GetObjectRequest(bucketName, key));
            System.out.println("Content-Type: " + fullObject.getObjectMetadata().getContentType());
            System.out.println("Content: ");
            displayTextInputStream(fullObject.getObjectContent());

            // Get a range of bytes from an object and print the bytes.
            GetObjectRequest rangeObjectRequest = new GetObjectRequest(bucketName, key)
                    .withRange(0, 9);
            objectPortion = s3Client.getObject(rangeObjectRequest);
            System.out.println("Printing bytes retrieved.");
            displayTextInputStream(objectPortion.getObjectContent());

            // Get an entire object, overriding the specified response headers, and print
            // the object's content.
            ResponseHeaderOverrides headerOverrides = new ResponseHeaderOverrides()
                    .withCacheControl("No-cache")
                    .withContentDisposition("attachment; filename=example.txt");
            GetObjectRequest getObjectRequestHeaderOverride = new GetObjectRequest(bucketName, key)
                    .withResponseHeaders(headerOverrides);
            headerOverrideObject = s3Client.getObject(getObjectRequestHeaderOverride);
            displayTextInputStream(headerOverrideObject.getObjectContent());
        } catch (AmazonServiceException e) {
            // The call was transmitted successfully, but Amazon S3 couldn't process
            // it, so it returned an error response.
            e.printStackTrace();
        } catch (SdkClientException e) {
            // Amazon S3 couldn't be contacted for a response, or the client
            // couldn't parse the response from Amazon S3.
            e.printStackTrace();
        } finally {
            // To ensure that the network connection doesn't remain open, close any open
            // input streams.
            if (fullObject != null) {
                fullObject.close();
            }
            if (objectPortion != null) {
                objectPortion.close();
            }
            if (headerOverrideObject != null) {
                headerOverrideObject.close();
            }
        }
    }

    private static void displayTextInputStream(InputStream input) throws IOException {
        // Read the text input stream one line at a time and display each line.
        BufferedReader reader = new BufferedReader(new InputStreamReader(input));
        String line = null;
        while ((line = reader.readLine()) != null) {
            System.out.println(line);
        }
        System.out.println();
    }
}

S3 访问权限管控中支持的 S3 操作

被授权者可以使用 S3 访问权限管控提供的临时凭证,对他们有权访问的 S3 数据执行 S3 操作。以下是被授权者可以执行的受支持 S3 操作的列表。支持哪些操作取决于在访问授权中授予的权限级别,即 READWRITEREADWRITE

注意

除了下面列出的 Amazon S3 权限外,Amazon S3 还可以调用 AWS Key Management Service(AWS KMS)Decryptkms:decryptREAD 权限或 AWS KMS GenerateDataKeykms:generateDataKeyWRITE 权限。这些权限不支持直接访问 AWS KMS 密钥。

S3 IAM 操作 API 操作和文档 S3 访问权限管控权限 S3 资源
s3:GetObject GetObject READ 对象
s3:GetObjectVersion GetObject READ 对象
s3:GetObjectAcl GetObjectAcl READ 对象
s3:GetObjectVersionAcl GetObjectAcl READ 对象
s3:ListMultipartUploads ListParts READ 对象
s3:PutObject PutObjectCreateMultipartUploadUploadPartUploadPartCopyCompleteMultipartUpload WRITE 对象
s3:PutObjectAcl PutObjectAcl WRITE 对象
s3:PutObjectVersionAcl PutObjectAcl WRITE 对象
s3:DeleteObject DeleteObject WRITE 对象
s3:DeleteObjectVersion DeleteObject WRITE 对象
s3:AbortMultipartUpload AbortMultipartUpload WRITE 对象
s3:ListBucket HeadBucketListObjectsV2ListObjects READ 存储桶
s3:ListBucketVersions ListObjectVersions READ 存储桶
s3:ListBucketMultipartUploads ListMultipartUploads READ 存储桶