STS即Secure Token Service 是一種安全憑證服務，可以使用STS來完成對于臨時用戶的訪問授權。對于跨用戶短期訪問對象存儲資源時，可以使用STS服務。這樣就不需要透露主賬號AK/SK，只需要生成一個短期訪問憑證給需要的用戶使用即可，避免主賬號AK/SK泄露帶來的安全風險。

初始化STS服務

access_key = '<your-access-key>'
secret_key = '<your-secret-access-key>'
end_point = '<your-endpoint>'
region = 'cn'
?
self.sts_client = boto3.client(
    'sts',
    aws_access_key_id=access_key,
    aws_secret_access_key=secret_key,
    endpoint_url=end_point,
    region_name=region)

獲取臨時token

def assume_role(self):
    print('assume_role')
    bucket = '<your-bucket>'
    policy = r'{"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":["s3:*"]' \
             r',"Resource":["arn:aws:s3:::%s","arn:aws:s3:::%s/*"]}}' % (bucket, bucket)
    role_arn = "arn:aws:iam:::role/<your-role>"
    role_session_name = "<your-session-name>"
?
    print('policy: %s' % policy)
    response = self.sts_client.assume_role(
        Policy=policy,
        RoleArn=role_arn,
        RoleSessionName=role_session_name,
    )
    print('ak %s' % response['Credentials']['AccessKeyId'])
    print('sk %s' % response['Credentials']['SecretAccessKey'])
    print('token %s' % response['Credentials']['SessionToken'])

請求參數

Policy設置例子

• 允許所有的操作

{"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":["s3:*"],"Resource":["arn:aws:s3:::<your-bucket-name>","arn:aws:s3:::<your-bucket-name>/*"]}}

• 限制只能上傳和下載

{"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":["s3:PutObject","s3:GetObject"],"Resource":["arn:aws:s3:::<your-bucket-name>","arn:aws:s3:::<your-bucket-name>/*"]}}

• 使用分片上傳

{"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":["s3:PutObject","s3:AbortMultipartUpload","s3:ListBucketMultipartUploads","s3:ListMultipartUploadParts"],"Resource":["arn:aws:s3:::<your-bucket-name>","arn:aws:s3:::<your-bucket-name>/*"]}}

• 其他常見操作權限：

  • 上傳權限：s3:PutObject

  • 下載權限：s3:GetObject

  • 刪除權限：s3:DeleteObject

  • 獲取列表權限：s3:ListBucket

更多權限可參考：桶策略。