Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I remove a "grantee" user from S3 permissions tab?

Tags:

permissions

amazon-web-services

amazon-s3

amazon-iam

This is really a two part question:

I'm seeing some users in the "Grantee" dropdown for editing S3 permissions within the AWS console.

  1. Where are those users coming from?
  2. How can I delete them?

They aren't in IAM so I'm not really sure where they're coming from.

like image 769
doremi Avatar asked Jan 18 '12 01:01

doremi

People also ask

How do I restrict Amazon S3 bucket access to a specific IAM user?

You can use the NotPrincipal element of an IAM or S3 bucket policy to limit resource access to a specific set of users. This element allows you to block all users who are not defined in its value array, even if they have an Allow in their own IAM user policies.

What is grantee on AWS S3?

Represents a user who is granted some kind of permission through a Grant.

How do I change permissions on my S3 bucket?

Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/ . In the Buckets list, choose the name of the bucket that you want to set permissions for. Choose Permissions. Under Access control list, choose Edit.

1 Answers

A grantee can either be an AWS account (which you probably added in the past) or a predefined AWS "group", such as "Authenticated Users", "All Users" or "Log Delivery". Please have a look at ACL Overview, on AWS docs, for more information.

For removing grants from a given file (or from a set of files), you can use the PUT Object acl operation.

It is not clear, on the documentation, what you need to do in order to remove an user from the "Grantee" list. I performed some tests and this is how S3 is behaving:

  • If you select a file using the S3 Management Console and add permission to a new user (not yet in your grantees list), using his email address (make sure the email belongs to a valid Amazon account), that user does NOT go to the bucket ACL, but goes to the object ACL. This user also goes to the Grantees list permanently (even though his friendly name, instead of his email address, is what shows up there).
  • If you log out from the AWS console and log in again, the user is still on the Grantees list and you can give him permissions for other objects.
  • If you remove the given user's permissions on every object, log out and log in again, the user will not show on the Grantees list anymore.
  • If you add a given user to the Bucket ACL (either via API or via the AWS Console), the user will always be in the Grantees list for objects on that bucket.

This makes me think the Grantees list contains the entire list of users in your bucket's ACL plus a cache of users with permissions to objects in your bucket (which is cleared upon logging out, if you remove those permissions).

So, I would try first removing the users you don't want from your bucket's ACL, and then (via API, of course) remove those user's permissions for the objects in your bucket.

like image 182
Viccari Avatar answered Sep 27 '22 18:09

Viccari
Sign in to Comment

Related questions

Granting Android application the android.permission.INTERNET permission while debugging on device
How to get installed applications permissions
How do I request multiple permissions at once in react native
Permission denied when accessing new EBS volume
Linux permission, what is the X? [closed]
How to set Write permission on a folder for Everyone Using Powershell
Check if role exists in DB?
KCFinder 'You do not have permission to list the files.'
Homebrew Permissions for Watchman on Muti-user Mac
java.lang.SecurityException trying to read from Android Contacts URI
Android location manager permissions to be used
How to set permissions for Android Bluetooth
Denial permission OPPO_COMPONENT_SAFE
PHP file_exists() function returns false on /usr/bin/mysql
AngularJS - permission directive
Android Marshmallow Permissions Tests
Redmi phones not asking SMS permissions and hence not reading sms
Why not use the built-in MySQL users and permissions for a website?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!