I'm trying to set up my role policy for S3. What I'm trying to do is allow users to get out any images that contain "public" in their name. The problem is that I've seem to of gotten the correct policy (it succeeds in the policy simulator) but when I'm running it in my app it doesn't seem to be working properly.
Here is my policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "mobileanalytics:PutEvents", "cognito-sync:*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::*" ], "Condition": { "StringLike": { "s3:prefix": "*public*" } } } ] }
I am setting the s3:prefix as user1/image1-public. Like I mentioned before, on the policy simulator, it allows all "Get" and "List" commands (just like it should).
The problem is when I'm downloading an example image from the database using the transfer manager in the iOS app, I get the following error:
2015-10-07 14:22:01.716 SimpleAuth[71584:8584520] Error: Error Domain=com.amazonaws.AWSS3ErrorDomain Code=1 "The operation couldn’t be completed. (com.amazonaws.AWSS3ErrorDomain error 1.)" UserInfo=0x7fcbf2d8c560 {HostId=ke/f5x+DKCnjuzlbH5XBWCQfawbkUIRWWhPcY9LdqjPqP5kUyq0rzIjkqeL+8Bm/fvr/l24Wm94=, Message=Access Denied, Code=AccessDenied, RequestId=180803E4DDD0BB73}
The code that I have in the Xcode project is
AWSS3TransferManagerDownloadRequest *downloadRequest = [AWSS3TransferManagerDownloadRequest new];
downloadRequest.bucket = @"test";
downloadRequest.key = @"user1/image1-public";
downloadRequest.downloadingFileURL = downloadingFileURL;
// Download the file.
[[transferManager download:downloadRequest] continueWithExecutor:[AWSExecutor mainThreadExecutor]
withBlock:^id(AWSTask *task)
{
if (task.error){
if ([task.error.domain isEqualToString:AWSS3TransferManagerErrorDomain]) {
switch (task.error.code) {
case AWSS3TransferManagerErrorCancelled:
case AWSS3TransferManagerErrorPaused:
break;
default:
NSLog(@"Error: %@", task.error);
break;
}
} else {
// Unknown error.
NSLog(@"Error: %@", task.error);
}
}
if (task.result)
{
AWSS3TransferManagerDownloadOutput *downloadOutput = task.result;
//File downloaded successfully.
NSLog(@"Now go to the next screen");
[self performSegueWithIdentifier:@"LoginSuccessSegue" sender:self];
}
return nil;
}];
Any help would be greatly appreciated. I've never been able to get a "Condition" to work on an ACL.
Aucun commentaire:
Enregistrer un commentaire