Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

I need an Amazon S3 user with full access to a single bucket

Tags:

amazon-web-services

amazon-s3

amazon-iam

user-permissions

I have a user foo with the following privileges (it's not a member of any group):

{   "Statement": [     {       "Sid": "Stmt1308813201865",       "Action": "s3:*",       "Effect": "Allow",       "Resource": "arn:aws:s3:::bar"     }   ] }

That user however seem unable to upload or do much of anything until I grant full access to authenticated users (which might apply to anyone). This still doesn't let the user change permission as boto is throwing an error after an upload when it tries to do do key.set_acl('public-read').

Ideally this user would have full access to the bar bucket and nothing else, what am I doing wrong?

like image 763
Kit Sunde Avatar asked Nov 20 '11 18:11

Kit Sunde

People also ask

How do I give access to a single S3 bucket?

Select the group that you just created, e.g. S3OneFS , and click “Group Actions”. Select “Add Users to Group”. Then, select your user, e.g. ObjectiveFS , and click “Add Users”. You can now use your “Access Key ID” and “Secret Access Key” to run ObjectiveFS restricted to a single bucket.

How do I restrict Amazon S3 bucket access to a specific IAM user?

You can use the NotPrincipal element of an IAM or S3 bucket policy to limit resource access to a specific set of users. This element allows you to block all users who are not defined in its value array, even if they have an Allow in their own IAM user policies.

Who has access to S3 bucket?

By default, all Amazon S3 buckets and objects are private. Only the resource owner which is the AWS account that created the bucket can access that bucket. The resource owner can, however, choose to grant access permissions to other resources and users.

2 Answers

You need to grant s3:ListBucket permission to the bucket itself. Try the policy below.

{   "Statement": [     {       "Effect": "Allow",       "Action": "S3:*",       "Resource": "arn:aws:s3:::bar/*",       "Condition": {}     },     {       "Effect": "Allow",       "Action": [         "s3:ListBucket"       ],       "Resource": "arn:aws:s3:::bar",       "Condition": {}     }   ] }
like image 188
cloudberryman Avatar answered Oct 21 '22 23:10

cloudberryman

The selected answer didn't work for me, but this one did:

{   "Statement": [     {       "Action": "s3:*",       "Effect": "Allow",       "Resource": [         "arn:aws:s3:::my-bucket",         "arn:aws:s3:::my-bucket/*"       ]     }   ],   "Statement": [     {       "Effect": "Allow",       "Action": "s3:ListAllMyBuckets",       "Resource": "arn:aws:s3:::*"     }   ] }

Credit: http://mikeferrier.com/2011/10/27/granting-access-to-a-single-s3-bucket-using-amazon-iam/

like image 40
Suman Avatar answered Oct 21 '22 22:10

Suman
Sign in to Comment

Related questions

Create a zip file on S3 from files on S3 using Lambda Node
Is the Amazon .NET AWS SDK's AmazonS3 thread safe?
Is it possible to change headers on an S3 object without downloading the entire object?
Amazon CloudFront Latency
Getting 403 (Forbidden) when uploading to S3 with a signed URL
downloading a file from Internet into S3 bucket
Is there a way to touch() a file in Amazon S3?
Can I use boto3 anonymously?
uploading file to specific folder in S3 using boto3
How to Generate a Presigned S3 URL via AWS CLI
How to retrieve attachment url with Rails Active Storage with S3
Does Spark support true column scans over parquet files in S3?
Exporting data from Google Cloud Storage to Amazon S3
create folder inside S3 bucket using Cloudformation
How to move files from amazon ec2 to s3 bucket using command line
Enable Lambda function to an S3 bucket using cloudformation
Amazon S3 files access policy based on IP Address
How to search an Amazon S3 Bucket using Wildcards?
How can I access S3/S3n from a local Hadoop 2.6 installation?
How to redirect HTTP to HTTPS using S3, Cloudfront, and Route 53 using naked domains?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!