Menu
In AWS I have the following
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGroupToSeeBucketvideo",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket"
]
},
{
"Sid": "AllowListingOfVideoBucket",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*"
]
}
]
}
I want to be able to rename objects as well but with these permissions a rename fails anyone know what I am missing ?
818
Renaming an IAM userTo change a user's name or path, you must use the AWS CLI, Tools for Windows PowerShell, or AWS API. There is no option in the console to rename a user. For information about the permissions that you need in order to rename a user, see Permissions required to access IAM resources.
There is no direct method to rename a file in S3. What you have to do is copy the existing file with a new name (just set the target key) and delete the old one.
After you create a bucket, you can't change its name or Region. When naming a bucket, choose a name that is relevant to you or your business. Avoid using names associated with others. For example, you should avoid using AWS or Amazon in your bucket name.
in order to rename you need to add the following to your allow actions.
"s3:GetObjectVersion",
"s3:DeleteObjectVersion",
"s3:PutObjectAcl",
"s3:GetObjectAcl"
52
I think these permission will be helpful, I had tried it!
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObjectAcl"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mx-provider-video-upload/9a9036/*"
]
Same answer I provided here How do you allow granting public read access to objects uploaded to AWS S3?
I found that certain actions (like renaming an object) will fail when executed from the console (but will succeed from the CLI!) when ListAllMyBuckets is not granted for all s3 resources. Adding the following to the IAM policy resolved the issue:
{
"Sid": "AccessS3Console",
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
}
Some of the actions I tested that failed from the console but succeeded from CLI:
I experienced these issues after following the instructions here https://aws.amazon.com/premiumsupport/knowledge-center/s3-console-access-certain-bucket/ which describe how to restrict access to a single bucket (and preventing seeing the full list of buckets in the account). The post didn't mention the caveats.
To limit a user's Amazon S3 console access to only a certain bucket or folder (prefix), change the following in the user's AWS Identity and Access Management (IAM) permissions:
- Remove permission to the s3:ListAllMyBuckets action.
- Add permission to s3:ListBucket only for the bucket or folder that you want the user to access. Note: To allow the user to upload and download objects from the bucket or folder, you must also include s3:PutObject and s3:GetObject.
Warning: After you change these permissions, the user gets an Access Denied error when they access the main Amazon S3 console. The user must access the bucket using a direct console link to the bucket or folder.
41
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
