错误:放置 S3 存储桶策略时出错:存储桶策略太大。最大策略大小为 20 KB。
Error: Error putting S3 bucket policy: The bucket policy is too large. Maximum policy size is 20 KB.
ID: policy/aws-s3-bucket-policy-size-limit-exceeded
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| AWS S3 | active | — | — | — |
| AWS CLI 2.x | active | — | — | — |
| AWS SDK for Python (boto3) 1.28+ | active | — | — | — |
根因分析
S3 存储桶策略文档超过了 AWS 对存储桶策略施加的 20 KB 大小限制,通常是由于语句过多、ARN 过长或条件块过大。
English
The S3 bucket policy document exceeds the 20 KB size limit imposed by AWS for bucket policies, often due to excessive number of statements, long ARNs, or large condition blocks.
官方文档
https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html解决方案
-
将具有相同效果、主体和操作的多个语句合并为一个语句,使用资源列表。例如,将每个存储桶的单独语句替换为一个语句,在 Resource 字段中列出所有存储桶 ARN。使用 `aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json` 并使用 `ls -l policy.json` 检查文件大小。
-
将某些权限移至附加到用户或角色的 IAM 策略,而不是存储桶策略。例如,如果存储桶策略授予多个 IAM 用户访问权限,请创建一个授予相同权限的 IAM 策略并将其附加到这些用户。这减小了存储桶策略的大小。
-
使用 S3 访问点或 S3 Object Lambda 将某些策略逻辑从存储桶策略中卸载。访问点有自己的策略(每个访问点 20 KB 限制),可用于委派访问控制。
无效尝试
常见但无效的做法:
-
60% 失败
While removing whitespace helps, the policy size limit is based on the JSON document's byte count. Removing whitespace typically saves only a few hundred bytes, which is insufficient for policies that are significantly over 20 KB.
-
90% 失败
S3 buckets can only have one bucket policy. AWS does not support multiple policies on a single bucket. You must consolidate all statements into one policy.
-
50% 失败
IAM role trust policies also have size limits (10 KB for trust policy, 6 KB for permissions policy). The same issue may arise with IAM policies if they are too large.