阅读背景:

AWS S3 Java:doesObjectExist导致403:FORBIDDEN

来源:互联网 

I'm having trouble with my Java program using the AWS SDK to interact with an S3 bucket.

我在使用AWS SDK与我的Java程序进行交互时遇到了麻烦。

This is the code I use to create an S3 client:

这是我用来创建S3客户端的代码:

public S3StorageManager(S3Config config) throws StorageException {

   BasicAWSCredentials credentials = new BasicAWSCredentials(myAccessKey(), mySecretKey());
   AWSStaticCredentialsProvider provider = new AWSStaticCredentialsProvider(credentials);

   this.s3Client = AmazonS3ClientBuilder
        .standard()
        .withCredentials(provider)
        .withRegion(myRegion)
        .build();

When I try to download a file, before starting the download I check wether the file exists or not with:

当我尝试下载文件时,在开始下载之前,我检查文件是否存在:

s3Client.doesObjectExists(bucketName, objectName);

This is where I get 403: FORBIDDEN. The weird thing is this problem is raised only when I try to perform an object existence check before performing uploads in the same session. In other words, after initializing the s3Client: - if I first try to check if an object exists, it raises the FORBIDDEN problem; - if I first perform file upload, it works fine and after that any object existence check works fine as well;

这是我得到的地方403:FORBIDDEN。奇怪的是,只有当我在同一会话中执行上传之前尝试执行对象存在检查时才会引发此问题。换句话说,在初始化s3Client之后: - 如果我首先尝试检查对象是否存在,则会引发FORBIDDEN问题; - 如果我第一次执行文件上传,它工作正常,之后任何对象存在检查也可以正常工作;

Here is my stacktrace:

这是我的堆栈跟踪:

com.amazonaws.services.s3.model.AmazonS3Exception: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; Reques
t ID: A23BB805491E411F)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1588) ~[aws-java-sdk-core-1.
11.128.jar:?]
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1258) ~[aws-java-sdk-core-1.11
.128.jar:?]
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1030) ~[aws-java-sdk-core-1.11.128
.jar:?]
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:742) ~[aws-java-sdk-core-1.11.128.jar:
?]
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:716) ~[aws-java-sdk-core-1.11.1
28.jar:?]
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699) ~[aws-java-sdk-core-1.11.128.jar:?]
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667) ~[aws-java-sdk-core-1.11.128.jar
:?]
        at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649) ~[aws-java-sdk-core-1.1
1.128.jar:?]
        at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513) ~[aws-java-sdk-core-1.11.128.jar:?]
        at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4169) ~[aws-java-sdk-s3-1.11.128.jar:?]
        at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4116) ~[aws-java-sdk-s3-1.11.128.jar:?]
        at com.amazonaws.services.s3.AmazonS3Client.getObjectMetadata(AmazonS3Client.java:1237) ~[aws-java-sdk-s3-1.11.128.jar:?]
        at com.amazonaws.services.s3.AmazonS3Client.getObjectMetadata(AmazonS3Client.java:1213) ~[aws-java-sdk-s3-1.11.128.jar:?]
        at com.amazonaws.services.s3.AmazonS3Client.doesObjectExist(AmazonS3Client.java:1272) ~[aws-java-sdk-s3-1.11.128.jar:?]

Another weird thing is that all these problems started when I moved my Java program an EC2 remote machine. If I execute it on my local machine, the S3 interaction works fine. However I don't think the problem depends on the IAM roles, since I use the AWSStaticCredentialsProvider.

另一个奇怪的事情是,当我将Java程序移动到EC2远程计算机时,所有这些问题都开始了。如果我在本地机器上执行它,S3交互工作正常。但是我不认为问题取决于IAM角色,因为我使用AWSStaticCredentialsProvider。

3 个解决方案

#1


1  

Your credentials may be correct, but you will still get FORBIDDEN if you do not set the correct IAM polices. To check for objects in s3 you need the following:

您的凭据可能是正确的,但如果您未设置正确的IAM策略,您仍将获得FORBIDDEN。要检查s3中的对象,您需要以下内容:

{
    "Version":"2012-10-17",
    "Statement":[
        {
            "Effect":"Allow",
            "Action":[
            "s3:ListBucket"
            ],
            "Resource":["arn:aws:s3:::examplebucket/*"]
        },
        {
            "Effect":"Allow",
            "Action":[
            "s3:GetObject"
            ],
          "Resource":["arn:aws:s3:::examplebucket/*"]
        }
    ]
}

#2


1  

Make sure the date time is set correctly on the machine you are making the request from, otherwise you will get a 403.

确保在您提出请求的机器上正确设置日期时间,否则您将获得403。

#3


0  

I really look like an IAM policy issue. What is your user's policies on your local machine vs what is your IAM role with which policy(ies)? For your EC2 instance, when you create it, create a role with "AmazonS3FullAccess" policy, if it solves the problem you'll remove the useless rights.

我看起来像是一个IAM政策问题。您的本地计算机上的用户策略与您的IAM角色策略有什么关系?对于您的EC2实例,在创建它时,使用“AmazonS3FullAccess”策略创建一个角色,如果它解决了问题,您将删除无用的权限。


分享到: