I have created a bucket on amazon s3 and added bucket policy giving another user account access to upload files to it. I added the following bucket policy.
However, now I am myself unable to download the files uploaded by the sharer. I guess I havn't given them acl rights. How should I proceed to download the files. Can they grant permission from their end for their uploaded files?
{
"Version": "2008-10-17",
"Id": "Policyxxxxxxxxxxxx",
"Statement": [
{
"Sid": "Stmtxxxxxxxxxxxxx",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_number>:root"
},
"Action": [
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<bucket_name>/*"
},
{
"Sid": "Stmtxxxxxxxxxxx",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_number>:root"
},
"Action": [
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::<bucket_name>"
}
]
}
Open the IAM console. Add a policy to the IAM user that grants the permissions to upload and download from the bucket. You can use a policy that's similar to the following: Note: For the Resource value, enter the Amazon Resource Name (ARN) for the bucket with a wildcard character to indicate the objects in the bucket.
For these existing buckets, an object owner had to explicitly grant permissions to an object (by attaching an access control list). Otherwise, the bucket owner would be unable to access the object.
To download an entire bucket to your local file system, use the AWS CLI sync command, passing it the s3 bucket as a source and a directory on your file system as a destination, e.g. aws s3 sync s3://YOUR_BUCKET . . The sync command recursively copies the contents of the source to the destination.
Was facing a similar situation that the destination account was not granted full access that the bucket policy granting cloudfront read access does not work.
In addition to OP's "s3:x-amz-grant-full-control":[ "[email protected]" ]
, or id=xxx
, another way is to use the Canned ACL. By using the bucket-owner-full-control
, we do not have to list a specific email or canonical id.
{
"Statement":[
{
"Effect":"Allow",
"Principal":{"AWS":"111111111111"},
"Action":"s3:PutObject",
"Resource":["arn:aws:s3:::examplebucket/*","arn:aws:s3:::examplebucket"]
},
{
"Effect":"Deny",
"Principal":{"AWS":"111111111111"},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::examplebucket/*",
"Condition": {
"StringNotEquals": {"s3:x-amz-acl":"bucket-owner-full-control"}
}
}
]
}
So the problem is that the amazon s3 bucket applies bucket policy to only objects owned by bucket owner. So if you are the bucket owner and gave put object permission through bucket policy that mean you also need to make sure they give you permission during the object upload. While granting cross-account permissions to upload objects one can restrict only objects which comes with read permission only.
Source: http://docs.aws.amazon.com/AmazonS3/latest/dev/AccessPolicyLanguage_UseCases_s3_a.html Related discussion : https://forums.aws.amazon.com/thread.jspa?messageID=524342&%20#524342 Example bucket policy :
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"111",
"Effect":"Allow",
"Principal":{
"AWS":"1111111111"
},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::examplebucket/*"
},
{
"Sid":"112",
"Effect":"Deny",
"Principal":{
"AWS":"1111111111"
},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::examplebucket/*",
"Condition":{
"StringNotEquals":{
"s3:x-amz-grant-full-control":[
"[email protected]"
]
}
}
}
]
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With