Menu
I am struggling to get a AWS S3 IAM user policy to work, this is my current IAM user's policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1424859689000",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::vault-us/*"
]
}
]
}
When I do a post to create a new object in my S3 bucket I get a 403 Forbidden error but when I use the Managed Policy called 'AmazonS3FullAccess' then everything works just fine.
What I am trying to do is restrict certain IAM users to upload/downloads rights but am struggling to get this working.
Any suggestions would be appreciated!
678
If you're getting Access Denied errors on public read requests that are allowed, check the bucket's Amazon S3 Block Public Access settings. Review the S3 Block Public Access settings at both the account and bucket level. These settings can override permissions that allow public read access.
Short description. The "403 Access Denied" error can occur due to the following reasons: Your AWS Identity and Access Management (IAM) user or role doesn't have permissions for both s3:GetBucketPolicy and s3:PutBucketPolicy.
I managed to figure out that in order for upload to work I needed to include the action "s3:PutObjectAcl" here is the example of my IAM policy below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::vault-us"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::vault-us/*"
]
}
]
}
First thing you can do is figure out if its the actions that's wrong or the resource scope, can you these two policies one at a time:
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::vault-us/*"
]
and
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"*"
]
If the first one works and the second fails, you don't have enough permissions to do your operation, e.g. try adding listBucket or similar (I tend to add all likely ones and gradually remove them until it breaks).
If the first one breaks and the second one works then your resource declaration is wrong, the most common fix I've found is to try adding:
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::vault-us/*",
"arn:aws:s3:::vault-us"
]
If the both fail then chances are both your action and your resource is wrong.
Good Luck
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
