Amazon Simple Storage Service
开发人员指南 (API Version 2006-03-01)
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。请点击 Amazon AWS 入门,可查看中国地区的具体差异

使用 IAM 用户临时凭证进行请求 - 适用于 Ruby 的 AWS 开发工具包

IAM 用户或 AWS 账户可以使用 适用于 Ruby 的 AWS 开发工具包 请求临时安全凭证 (请参阅创建请求),然后使用这些凭证访问 Amazon S3。在会话持续时间结束后,这些凭证将过期。默认情况下,会话的持续时间为一个小时。如果使用 IAM 用户凭证,您可以在请求临时安全凭证时,指定 1 到 36 小时的持续时间。

使用 IAM 用户临时安全凭证进行请求

1

使用 Aws::STS::Client.new 创建一个新的 AWS Security Token Service (AWS STS) 客户端并获取临时凭证。

2

为新用户创建新的 IAM 用户策略,授予临时权限以列出存储桶中的内容。

3

利用临时凭证创建一个 Amazon S3 客户端,并使用临时凭证列出指定存储桶的内容。如果您使用过期的凭证发送请求, Amazon S3 将返回错误。

以下 Ruby 代码示例演示了上述任务。

require 'aws-sdk-s3' # Create new STS client and get temporary credentials sts = Aws::STS::Client.new(region: region) temp_creds = sts.get_federation_token({ duration_seconds: 3600, name: user_name, policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListBucket\",\"Resource\":\"arn:aws:s3:::#{bucket_name}\"}]}", }) credentials = temp_creds.credentials =begin access_key_id = credentials.access_key_id # String expiration = credentials.expiration # Time secret_access_key = credentials.secret_access_key # String session_token = credentials.session_token # String =end # Create S3 client with temporary credentials s3 = Aws::S3::Client.new(region: region, credentials: credentials) # Get an Amazon S3 resource s3 = Aws::S3::Resource.new(region: region) # Create an array of the object keynames in the bucket, up to the first 100 bucket = s3.bucket('example_bucket').objects.collect(&:key) # Print the array to the terminal puts bucket

注意

如果您使用 AWS 账户安全凭证获取临时安全凭证,则临时安全凭证的有效期仅为一个小时。只有当您使用 IAM 用户凭证请求会话时,才可以指定会话持续时间。

以下 Ruby 代码示例为临时用户创建联合策略以列出指定存储桶中 1 小时的项目。要使用此代码示例,您的 AWS 凭证必须具有创建新的 AWS STS 客户端并列出 Amazon S3 存储桶所需的必要权限。

require 'aws-sdk-s3' USAGE = <<DOC Usage: sts_create_bucket_policy.rb -b BUCKET -u USER [-r REGION] [-d] [-h] Creates a federated policy for USER to list items in BUCKET for one hour BUCKET is required and must not already exist USER is required and if not found, is created If REGION is not supplied, defaults to us-west-2. -d gives you extra (debugging) information. -h displays this message and quits DOC $debug = false def print_debug(s) if $debug puts s end end def get_user(region, user_name, create) user = nil iam = Aws::IAM::Resource.new(region: region) if create print_debug("Trying to create new user #{user_name} in region #{region}") else print_debug("Getting user #{user_name} in region #{region}") end # First see if user exists user = iam.user(user_name) if user == nil && create user = iam.create_user(user_name: user_name) iam.wait_until(:user_exists, user_name: user_name) print_debug("Created new user #{user_name}") else print_debug("Found user #{user_name}") end user end # main region = 'us-west-2' user_name = '' bucket_name = '' i = 0 while i < ARGV.length case ARGV[i] when '-b' i += 1 bucket_name = ARGV[i] when '-u' i += 1 user_name = ARGV[i] when '-r' i += 1 region = ARGV[i] when '-d' puts 'Debugging enabled' $debug = true when '-h' puts USAGE exit 0 else puts 'Unrecognized option: ' + ARGV[i] puts USAGE exit 1 end i += 1 end if bucket_name == '' puts 'You must supply a bucket name' puts USAGE exit 1 end if user_name == '' puts 'You must supply a user name' puts USAGE exit 1 end # IAM user we allow to list S3 bucket items for an hour user = get_user(region, user_name, true) # Create new STS client and get temporary credentials sts = Aws::STS::Client.new(region: region) temp_creds = sts.get_federation_token({ duration_seconds: 3600, name: user_name, policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListBucket\",\"Resource\":\"arn:aws:s3:::#{bucket_name}\"}]}", }) credentials = temp_creds.credentials =begin access_key_id = credentials.access_key_id # String expiration = credentials.expiration # Time secret_access_key = credentials.secret_access_key # String session_token = credentials.session_token # String =end # Create S3 client with temporary credentials s3 = Aws::S3::Client.new(region: region, credentials: credentials) # List the items for the specified S3 bucket s3 = Aws::S3::Resource.new(region: region) begin bucket = s3.bucket(bucket_name) count = bucket.objects.count puts "Items (#{count}):" puts # List the object key bucket.objects.each do |obj| puts " Name: #{obj.key}" end rescue Aws::S3::Errors::PermanentRedirect puts puts 'The bucket is not in the ' + region + ' region' exit 1 end