AWS S3: InvalidBucketAclWithObjectOwnershipBucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforcedACL

huangapple go评论77阅读模式
英文:

AWS S3: InvalidBucketAclWithObjectOwnershipBucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforcedACL

问题

以下是您提供的内容的翻译:

自几年前以来,我一直有一个PHP脚本,允许我生成存储桶并上传一些公共图像。现在,我的方法开始一次又一次地报错相同的错误:
"InvalidBucketAclWithObjectOwnership"
目前,它是这样的:

$s3 = new \Aws\S3\S3Client($awsConf);
$s3->createBucket(['ACL' => $acl,'Bucket' => $bucket_name]);

所以我找到了一个可能的解决方案,添加另一个选项:

'ObjectOwnership' => 'BucketOwnerForced',

但对我来说没有任何变化。您对我需要在API调用中添加什么有任何想法吗?

编辑:

完整错误:

Error executing "CreateBucket" on "https://rhmpicsneu1.s3.eu-central-1.amazonaws.com/"; AWS HTTP error: Client error: PUT https://rhmpicsneu1.s3.eu-central-1.amazonaws.com/ resulted in a 400 Bad Request response:

InvalidBucketAclWithObjectOwnershipBucket cannot hav (truncated...)
InvalidBucketAclWithObjectOwnership (client): Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting -
InvalidBucketAclWithObjectOwnershipBucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced settingXXE0VAW96NHT89XC2VCYWewOiAFgS1iXhZUW0ku8pAgQSDkOQAcOVEn0wTwV0HwE9IkUQhxeRdhFBsoEmaXad5EFKrbL586AY1Q+ww==

英文:

Since a few years, I have had a PHP Script that allows me to generate Buckets and upload some public images to it.
now my Method starts to spit out the same Error again and again:
InvalidBucketAclWithObjectOwnership
for now, it was:

$s3 = new \Aws\S3\S3Client($awsConf);
$s3->createBucket(['ACL' => $acl,'Bucket' => $bucket_name]);

So I found a possible solution to add another option:

'ObjectOwnership' => 'BucketOwnerForced',

But nothing changed for me. Do you have any ideas about what I have to add to the API call?

EDIT:

FULL ERROR:
>Error executing "CreateBucket" on "https://rhmpicsneu1.s3.eu-central-1.amazonaws.com/"; AWS HTTP error: Client error: PUT https://rhmpicsneu1.s3.eu-central-1.amazonaws.com/ resulted in a 400 Bad Request response:
><?xml version="1.0" encoding="UTF-8"?>
><Error><Code>InvalidBucketAclWithObjectOwnership</Code><Message>Bucket cannot hav (truncated...)
> InvalidBucketAclWithObjectOwnership (client): Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting - <?xml version="1.0" encoding="UTF-8"?>
><Error><Code>InvalidBucketAclWithObjectOwnership</Code><Message>Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting</Message><RequestId>XXE0VAW96NHT89XC</RequestId><HostId>2VCYWewOiAFgS1iXhZUW0ku8pAgQSDkOQAcOVEn0wTwV0HwE9IkUQhxeRdhFBsoEmaXad5EFKrbL586AY1Q+ww==</HostId></Error>

答案1

得分: 1

以下是您提供的内容的翻译:

Amazon S3 2023年4月开始的安全更改

> 从2023年4月开始,该区域中的所有新创建的存储桶将默认启用S3阻止公共访问,并禁用访问控制列表(ACL)。这两个选项已经是控制台默认设置,并一直被推荐为最佳实践。这些选项将成为使用S3 APIS3 CLIAWS SDKsAWS CloudFormation模板创建的存储桶的默认设置。
>
> 禁用ACL - 新创建的存储桶将启用“桶所有者强制执行”设置,使存储桶ACL和对象ACL无效,并确保无论谁上传对象,存储桶所有者都是对象所有者。如果要为存储桶启用ACL,您可以在CreateBucket请求中设置ObjectOwnership参数为ObjectWriter,或在创建存储桶后调用DeleteBucketOwnershipControls。您需要具有s3:PutBucketOwnershipControls权限才能使用该参数或调用该函数。

因此,要使ACL启用为public-read的存储桶,首先需要使用'ObjectOwnership' => 'ObjectWriter''ObjectOwnership' => 'BucketOwnerPreferred'创建存储桶。然后在下一步中禁用阻止所有公共访问,以便可以将存储桶ACL更新为public-read。请检查下面的存储桶创建截图。

使用PHP SDK,可以这样做:

&lt;?php

require 'vendor/autoload.php';
use Aws\S3\S3Client;
use Aws\Exception\AwsException;

//创建S3Client
$s3client = new Aws\S3\S3Client([
    'version' => 'latest',
    'region' => 'ap-south-1'
]);

$bucket_name = "test-sdk-arpit";
try {
	//使用ObjectWriter创建存储桶,使ACL启用。
    $s3client->createBucket([
		'Bucket' => $bucket_name,
		'ObjectOwnership' => 'ObjectWriter'
    ]);
    echo "创建的存储桶名称:$bucket_name \n";
	
	
	//禁用阻止所有公共访问,以便可以更新ACL为public-read,否则将返回访问被拒绝的错误。
	$result = $s3client->putPublicAccessBlock([
		'Bucket' => $bucket_name, // 必需
		'PublicAccessBlockConfiguration' => [ // 必需
			'BlockPublicAcls' => false
		],
	]);
	echo "为存储桶禁用阻止所有公共访问:$bucket_name\n";
	
	//更新存储桶ACL以实现public-read访问。
	$result = $s3client->putBucketAcl([
		'ACL' => 'public-read',
		'Bucket' => $bucket_name, // 必需
	]);
	echo "已更新ACL以实现public read访问的存储桶:$bucket_name \n";
	
} catch (Exception $exception) {
    echo "创建/更新存储桶$bucket_name失败,错误信息:" . $exception->getMessage();
    exit("请在继续之前修复存储桶创建错误。");
}

ObjectOwnership 对象所有权有三个设置,可用于控制上传到存储桶的对象的所有权,以及禁用或启用ACL:

  • ObjectWriter - 如果使用bucket-owner-full-control canned ACL上传对象,则上传的帐户将拥有对象的所有权。(对象编写者仍然是对象所有者。ACL仍然用于访问控制。即启用了ACL
  • BucketOwnerEnforced - 禁用访问控制列表(ACL),不再影响权限。存储桶所有者自动拥有并对存储桶中的每个对象具有完全控制权。存储桶仅接受不指定ACL或存储桶所有者完全控制ACL的PUT请求,例如bucket-owner-full-control canned ACL或以XML格式表示的等效形式的此ACL。(即禁用了ACL
  • BucketOwnerPreferred - 如果使用bucket-owner-full-control canned ACL上传对象,则上传到存储桶的对象的所有权将更改为存储桶所有者。(即启用了ACL

有用的资源:

英文:

From Amazon S3 Security Changes Are Coming in April of 2023

> Starting in April of 2023, all newly created buckets in the Region
> will by default have S3 Block Public Access enabled and access
> control lists (ACLs)
disabled. Both of these options are already
> console defaults and have long been recommended as best practices. The
> options will become the default for buckets that are created using the
> S3 API, S3 CLI, the AWS SDKs, or AWS CloudFormation templates.
>
> ACLs DisabledThe Bucket owner enforced setting will be enabled for newly created buckets, making bucket ACLs and object ACLs
> ineffective, and ensuring that the bucket owner is the object owner no
> matter who uploads the object. If you want to enable ACLs for a
> bucket, you can set the ObjectOwnership parameter to ObjectWriter
> in your CreateBucket request or you can call
> DeleteBucketOwnershipControls after you create the bucket
. You will
> need s3:PutBucketOwnershipControls permission in order to use the
> parameter or to call the function;

So to have a Bucket with ACL enabled with public-read, first, you need to create the bucket with &#39;ObjectOwnership&#39; =&gt; &#39;ObjectWriter&#39; or &#39;ObjectOwnership&#39; =&gt; &#39;BucketOwnerPreferred&#39;. And then Disable Block all public access so Bucket ACL can be updated to public-read in the next step. Please check the below screenshot of the bucket created.

With PHP SDK, you can do like so:-

&lt;?php

require &#39;vendor/autoload.php&#39;;
use Aws\S3\S3Client;
use Aws\Exception\AwsException;

//Create an S3Client
$s3client = new Aws\S3\S3Client([
    &#39;version&#39; =&gt; &#39;latest&#39;,
    &#39;region&#39; =&gt; &#39;ap-south-1&#39;
]);

$bucket_name = &quot;test-sdk-arpit&quot;;
try {
	//Create Bucket with ObjectOwnership as ObjectWriter which make ACL as enabled.
    $s3client-&gt;createBucket([
		&#39;Bucket&#39; =&gt; $bucket_name,
		&#39;ObjectOwnership&#39; =&gt; &#39;ObjectWriter&#39;
    ]);
    echo &quot;Created bucket named: $bucket_name \n&quot;;
	
	
	//Disable Block all public access so we can update ACL to public-read else it will give access denied error.
	$result = $s3client-&gt;putPublicAccessBlock([
		&#39;Bucket&#39; =&gt; $bucket_name, // REQUIRED
		&#39;PublicAccessBlockConfiguration&#39; =&gt; [ // REQUIRED
			&#39;BlockPublicAcls&#39; =&gt; false
		],
	]);
	echo &quot;Disable Block all public access for bucket:$bucket_name\n&quot;;
	
	//Update Bucket ACL for public-read access.
	$result = $s3client-&gt;putBucketAcl([
		&#39;ACL&#39; =&gt; &#39;public-read&#39;,
		&#39;Bucket&#39; =&gt; $bucket_name, // REQUIRED
	]);
	echo &quot;Updated ACL to public read for bucket:$bucket_name make \n&quot;;
	
} catch (Exception $exception) {
    echo &quot;Failed to create/update bucket $bucket_name with error: &quot; . $exception-&gt;getMessage();
    exit(&quot;Please fix error with bucket creation before continuing.&quot;);
}

ObjectOwnership Object Ownership has three settings that you can use to control ownership of objects uploaded to your bucket and to disable or enable ACLs:-

  • ObjectWriter - The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL.
    (The object writer remains the object owner. ACLs are still used for
    access control. ie ACLs enabled)
  • BucketOwnerEnforced - Access control lists (ACLs) are disabled and no
    longer affect permissions. The bucket owner automatically owns and
    has full control over every object in the bucket. The bucket only
    accepts PUT requests that don't specify an ACL or bucket owner full
    control ACLs, such as the bucket-owner-full-control canned ACL or an
    equivalent form of this ACL expressed in the XML format. ie. (ACLs disabled)
  • BucketOwnerPreferred - Objects uploaded to the bucket change
    ownership to the bucket owner if the objects are uploaded with the
    bucket-owner-full-control canned ACL. ie. (ACLs enabled)
    AWS S3: InvalidBucketAclWithObjectOwnershipBucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforcedACL

Useful Resources:-

huangapple
  • 本文由 发表于 2023年5月25日 17:53:16
  • 转载请务必保留本文链接:https://go.coder-hub.com/76330998.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定