I want to add a S3 permission for a specific user. The AWS console is asking me for the Canonical ID for the user. I used the AWS CLI command aws iam list-users
to retrieve the list of users, but there was no "Canonical ID" field, and the "User ID" is not recognized, giving me an "Invalid ID" message. I tryied also with ARN and it did not work.
The canonical User ID is a long alpha numeric string. It can usually be found by logging in to the AWS console, then from the top right click your username and from the drop down select 'Security Credentials'.
Sign in to the AWS Management Console using the account that has the S3 bucket. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ . Select the bucket that you want AWS Config to use to deliver configuration items, and then choose Properties. Choose Permissions.
Finding Your Account ID using the AWS CLI Use the following command to view your user ID, account ID, and your user ARN: aws sts get-caller-identity.
AWS account ID A 12-digit number, such as 123456789012 , that uniquely identifies an AWS account. Many AWS resources include the account ID in their Amazon Resource Names (ARNs). The account ID portion distinguishes resources in one account from the resources in another account.
To grant permissions to an IAM user on a bucket, you'll need to create a Bucket Policy - which is an JSON document. The "Access for other AWS accounts" option in the ACL is for granting access to other (wholly separate) root AWS accounts, not for granting access to IAM users within your own root account.
To access the bucket policy, browse to a bucket in the S3 web console. There you'll see the Overview/Properties/Permissions/Management tabs. Under Permissions there is a sub-tab called "Bucket Policy". At the bottom of the Bucket Policy page there is a link to a "Policy Generator", which will generate the JSON for you. (or the direct link is http://awspolicygen.s3.amazonaws.com/policygen.html)
To identify the IAM user you want to grant permissions to, you'll use an ARN (Amazon Resource Name). The ARN format for IAM users is as follows: "arn:aws:iam::{Account-ID}:user/{Username}" (note the curly braces aren't part of the format). An example IAM ARN looks like this: arn:aws:iam::100123456789:user/Daniel
To get your numeric account ID, sign in as the root user and click your user name in the upper right corner of the page and choose "My Account" (which takes you to https://console.aws.amazon.com/billing/home?#/account ). The account ID is listed under "Account Settings" at the top of the page.
Plug that user ARN into the "Principal" field of the policy generator, and choose which action(s) to grant to the user from the dropdown list.
To grant permissions to a bucket, or a set of files (objects) within a bucket you need to enter an ARN that identifies the bucket, or some subset of objects within the bucket into the "Amazon Resource Name" field (e.g. if I had a bucket called daniels-stuff and a folder in that bucket called images that I wanted to grant access to then I could provide an ARN such as arn:aws:s3:::daniels-stuff/images/*
Hit "Add Statement" when you've put in the necessary information and then hit "Generate Policy". Note you can put multiple statements (access right assignments) into the one policy.
Finally, there is a good primer to s3 bucket policies at https://brandonwamboldt.ca/understanding-s3-permissions-1662/ which includes some example policies.
Good luck (although I assume you've probably solved your issue now, others may find this helpful).
The user's canonical ID is easiest to find by calling, as the user whose ID you want to find, aws s3api list-buckets:
aws --profile PROD s3api list-buckets { "Owner": { "DisplayName": "a-display-name", "ID": "a-64?-char-hex-string" <<-- this HERE is the canonical user ID }, "Buckets": [ { "CreationDate": "2018-03-28T21:50:56.000Z", "Name": "bucket-1" }, { "CreationDate": "2018-03-22T14:08:48.000Z", "Name": "bucket-2" } ] }
With this ID, you can then call the s3api to grant access - eg to give read-access - like this:
aws --profile OTHER s3api put-object-acl \ --bucket bucket-3 \ --key path/to/file \ --grant-read id="the-64-char-hex"
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With