Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅
中国的 Amazon Web Services 服务入门
(PDF)。
使用 S3 访问权限管控提供的凭证访问 S3 数据
在被授权者通过其访问授权获得临时凭证后,他们可以使用这些临时凭证来调用 Amazon S3 API 操作以访问您的数据。
被授权者可以使用 Amazon Command Line Interface(Amazon CLI)、Amazon SDK 和 Amazon S3 REST API 来访问 S3 数据。此外,可以使用 Amazon Python 和 Java 插件来调用 S3 访问权限管控
在被授权者从 S3 Access Grants 获得临时凭证后,他们可以使用这些凭证设置配置文件来检索数据。
要安装 Amazon CLI,请参阅 Amazon Command Line Interface 用户指南中的安装 Amazon CLI。
要使用以下示例命令,请将 user input
placeholders
例 – 设置配置文件
aws configure set aws_access_key_id "$accessKey" --profile access-grants-consumer-access-profile
aws configure set aws_secret_access_key "$secretKey" --profile access-grants-consumer-access-profile
aws configure set aws_session_token "$sessionToken" --profile access-grants-consumer-access-profile
要使用以下示例命令,请将 user input
placeholders
例 – 获取 S3 数据
被授权者可以使用 get-object Amazon CLI 命令来访问数据。被授权者还可以使用 put-object、ls 和其他 S3 Amazon CLI 命令。
aws s3api get-object \
--bucket amzn-s3-demo-bucket1 \
--key myprefix \
--region us-east-2 \
--profile access-grants-consumer-access-profile
此部分中的示例说明被授权者如何使用 Amazon SDK 访问 S3 数据。
- Java
-
以下 Java 代码示例从 S3 存储桶中获取对象。有关创建和测试有效示例的说明,请参阅《适用于 Java 的 Amazon SDK 开发人员指南》中的 Getting Started。
import com.amazonaws.AmazonServiceException;
import com.amazonaws.SdkClientException;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
import com.amazonaws.services.s3.model.GetObjectRequest;
import com.amazonaws.services.s3.model.ResponseHeaderOverrides;
import com.amazonaws.services.s3.model.S3Object;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
public class GetObject2 {
public static void main(String[] args) throws IOException {
Regions clientRegion = Regions.DEFAULT_REGION;
String bucketName = "*** Bucket name ***";
String key = "*** Object key ***";
S3Object fullObject = null, objectPortion = null, headerOverrideObject = null;
try {
AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
.withRegion(clientRegion)
.withCredentials(new ProfileCredentialsProvider())
.build();
// Get an object and print its contents.
System.out.println("Downloading an object");
fullObject = s3Client.getObject(new GetObjectRequest(bucketName, key));
System.out.println("Content-Type: " + fullObject.getObjectMetadata().getContentType());
System.out.println("Content: ");
displayTextInputStream(fullObject.getObjectContent());
// Get a range of bytes from an object and print the bytes.
GetObjectRequest rangeObjectRequest = new GetObjectRequest(bucketName, key)
.withRange(0, 9);
objectPortion = s3Client.getObject(rangeObjectRequest);
System.out.println("Printing bytes retrieved.");
displayTextInputStream(objectPortion.getObjectContent());
// Get an entire object, overriding the specified response headers, and print
// the object's content.
ResponseHeaderOverrides headerOverrides = new ResponseHeaderOverrides()
.withCacheControl("No-cache")
.withContentDisposition("attachment; filename=example.txt");
GetObjectRequest getObjectRequestHeaderOverride = new GetObjectRequest(bucketName, key)
.withResponseHeaders(headerOverrides);
headerOverrideObject = s3Client.getObject(getObjectRequestHeaderOverride);
displayTextInputStream(headerOverrideObject.getObjectContent());
} catch (AmazonServiceException e) {
// The call was transmitted successfully, but Amazon S3 couldn't process
// it, so it returned an error response.
e.printStackTrace();
} catch (SdkClientException e) {
// Amazon S3 couldn't be contacted for a response, or the client
// couldn't parse the response from Amazon S3.
e.printStackTrace();
} finally {
// To ensure that the network connection doesn't remain open, close any open
// input streams.
if (fullObject != null) {
fullObject.close();
}
if (objectPortion != null) {
objectPortion.close();
}
if (headerOverrideObject != null) {
headerOverrideObject.close();
}
}
}
private static void displayTextInputStream(InputStream input) throws IOException {
// Read the text input stream one line at a time and display each line.
BufferedReader reader = new BufferedReader(new InputStreamReader(input));
String line = null;
while ((line = reader.readLine()) != null) {
System.out.println(line);
}
System.out.println();
}
}
S3 访问权限管控中支持的 S3 操作
被授权者可以使用 S3 访问权限管控提供的临时凭证,对他们有权访问的 S3 数据执行 S3 操作。以下是被授权者可以执行的受支持 S3 操作的列表。支持哪些操作取决于在访问授权中授予的权限级别,即 READ、WRITE 或 READWRITE。
除了下面列出的 Amazon S3 权限外,Amazon S3 还可以调用 Amazon Key Management Service(Amazon KMS)Decrypt (kms:decrypt) READ 权限或 Amazon KMS GenerateDataKey (kms:generateDataKey) WRITE 权限。这些权限不支持直接访问 Amazon KMS 密钥。