将S3设置为类SFTP服务用于数据上传

S3的一个好用的功能是能设置为相似SFTP的共享文件夹让用户上传数据，而已因为S3不是一部机器而是云原生服务，所以在维护上很是简单，而已价钱便宜，很是适合于大量文件保存和共享。

设置的难点在于policy的设定，如下是步骤。

1. 进入IAM设置policy
   

具体策略以下，按须要修改

整个bucket full权限

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "S3:*",
      "Resource": "arn:aws:s3:::BUCKET/*",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::BUCKET",
      "Condition": {}
    }
  ]
}

只容许bucket下某个文件夹full权限

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
         "s3:ListBucket",
         "s3:ListBucketMultipartUploads",
         "s3:ListBucketVersions"
       ],
      "Resource": "arn:aws:s3:::BUCKET",
      "Condition": {
        "StringLike": {
          "s3:prefix": "FOLDER/*"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action":  "s3:*" ,
      "Resource": "arn:aws:s3:::BUCKET/FOLDER/*",
      "Condition": {}
    }
  ]
}

给予存储桶只读权限

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "S3:ListBucket",
            "Resource": "arn:aws:s3:::bucket name",
            "Condition": {}
        },
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket name/*",
            "Condition": {}
        }
    ]
}

只容许只读访问存储桶下某个指定文件夹

{
  "Version": "2012-10-17",
  "Statement" : [{
    "Sid" : "GiveSimpleListAccessToSharedFolder",
    "Effect" : "Allow",
    "Action" : "s3:ListBucket",
    "Resource" : "arn:aws:s3:::BUCKET",
    "Condition" : {
        "StringLike" : {
       "s3:prefix": "FOLDER/*"
        }
    }
  },
  {
    "Sid" : "GiveReadAccessToSharedFolder",
    "Effect" : "Allow",
    "Action" : "s3:GetObject",
    "Resource" : "arn:aws:s3:::BUCKET/FOLDER/*"
  }]
}

2. 添加policy后，命名，而后保存

3. 返回IAM，点Group，添加组，

4. 设置与policy同样的名字，便于识别

5. 将以前建立的policy添加到这个组上，等于设定后续用户加入这个组所拥有的用户访问S3的权限

6. 完成后能够开始建立添加用户，返回IAM，点用户

7. 勾选编程访问

8. 添加用户到对应权限组

完成后便可经过S3客户端，例如Cloudberry, Cyberduck访问，把产生的用户IAM key添加到软件便可，以下是Cloudberry界面截图，跟SFTP访问文件夹相似

注意的点，对于中国区S3 policy的权限设定，与外国区有点区别，具体policy以下。若是客户端须要填写S3 server地址，用这个：s3.cn-north-1.amazonaws.com.cn

存储桶full权限

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListBucketIfSpecificPrefixIsIncludedInRequest",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws-cn:s3:::bucket"
            ],
            "Condition": {}
        },
        {
            "Sid": "AllowUserToReadWriteObjectDataInDevelopmentFolder",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws-cn:s3:::bucket/*"
            ]
        }
    ]
}

full权限，可是没有删除权限

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListBucketIfSpecificPrefixIsIncludedInRequest",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws-cn:s3:::BUCKET"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": "FOLDER/*"
                }
            }
        },
        {
            "Sid": "AllowUserToReadWriteObjectDataInDevelopmentFolder",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws-cn:s3:::BUCKET/FOLDER/*"
            ]
        }
    ]
}