Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can't download files uploaded by shared account s3 bucket

I have created a bucket on amazon s3 and added bucket policy giving another user account access to upload files to it. I added the following bucket policy.

However, now I am myself unable to download the files uploaded by the sharer. I guess I havn't given them acl rights. How should I proceed to download the files. Can they grant permission from their end for their uploaded files?

{
    "Version": "2008-10-17",
    "Id": "Policyxxxxxxxxxxxx",
    "Statement": [
        {
            "Sid": "Stmtxxxxxxxxxxxxx",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account_number>:root"
            },
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:GetObject",
                "s3:ListMultipartUploadParts",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::<bucket_name>/*"
        },
        {
            "Sid": "Stmtxxxxxxxxxxx",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account_number>:root"
            },
            "Action": [
                "s3:PutBucketLogging",
                "s3:PutBucketNotification",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::<bucket_name>"
        }
    ]
}
like image 626
cnvzmxcvmcx Avatar asked Apr 08 '14 17:04

cnvzmxcvmcx


People also ask

How do I get permission to download a S3 bucket?

Open the IAM console. Add a policy to the IAM user that grants the permissions to upload and download from the bucket. You can use a policy that's similar to the following: Note: For the Resource value, enter the Amazon Resource Name (ARN) for the bucket with a wildcard character to indicate the objects in the bucket.

Why can't I access an object that was uploaded to my Amazon S3 bucket by another AWS account?

For these existing buckets, an object owner had to explicitly grant permissions to an object (by attaching an access control list). Otherwise, the bucket owner would be unable to access the object.

How do I download all items from S3 bucket?

To download an entire bucket to your local file system, use the AWS CLI sync command, passing it the s3 bucket as a source and a directory on your file system as a destination, e.g. aws s3 sync s3://YOUR_BUCKET . . The sync command recursively copies the contents of the source to the destination.


2 Answers

Was facing a similar situation that the destination account was not granted full access that the bucket policy granting cloudfront read access does not work.

In addition to OP's "s3:x-amz-grant-full-control":[ "[email protected]" ], or id=xxx, another way is to use the Canned ACL. By using the bucket-owner-full-control, we do not have to list a specific email or canonical id.

{
  "Statement":[
    {
      "Effect":"Allow",
      "Principal":{"AWS":"111111111111"},
      "Action":"s3:PutObject",
      "Resource":["arn:aws:s3:::examplebucket/*","arn:aws:s3:::examplebucket"]
    },
    {
      "Effect":"Deny",
      "Principal":{"AWS":"111111111111"},
      "Action":"s3:PutObject",
      "Resource":"arn:aws:s3:::examplebucket/*",
      "Condition": {
        "StringNotEquals": {"s3:x-amz-acl":"bucket-owner-full-control"}
      }
    }
  ]
}
like image 173
LeOn - Han Li Avatar answered Oct 04 '22 00:10

LeOn - Han Li


So the problem is that the amazon s3 bucket applies bucket policy to only objects owned by bucket owner. So if you are the bucket owner and gave put object permission through bucket policy that mean you also need to make sure they give you permission during the object upload. While granting cross-account permissions to upload objects one can restrict only objects which comes with read permission only.

Source: http://docs.aws.amazon.com/AmazonS3/latest/dev/AccessPolicyLanguage_UseCases_s3_a.html Related discussion : https://forums.aws.amazon.com/thread.jspa?messageID=524342&%20#524342 Example bucket policy :

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"111",
         "Effect":"Allow",
         "Principal":{
            "AWS":"1111111111"
         },
         "Action":"s3:PutObject",
         "Resource":"arn:aws:s3:::examplebucket/*"
      },
      {
         "Sid":"112",
         "Effect":"Deny",
         "Principal":{
            "AWS":"1111111111"
         },
         "Action":"s3:PutObject",
         "Resource":"arn:aws:s3:::examplebucket/*",
         "Condition":{
            "StringNotEquals":{
               "s3:x-amz-grant-full-control":[
                  "[email protected]"
               ]
            }
         }
      }
   ]
}
like image 36
cnvzmxcvmcx Avatar answered Oct 04 '22 00:10

cnvzmxcvmcx