Menu
An external user has access to our s3 bucket, using these actions in our bucket policy:
"Action": [ "s3:GetObjectAcl", "s3:GetObject", "s3:PutObjectAcl", "s3:ListMultipartUploadParts", "s3:PutObject" ] That user generated temporary credentials, which were then used to upload a file into our bucket.
Now, I cannot access the file. In the s3 UI, if I attempt to download the file, I get a 403. If I attempt to change the permissions on that object, I see the message : "Sorry! You do not have permissions to view this bucket." If the external user sets the appropriate header (x-amz-acl bucket-owner-full-control) when uploading the file with the temporary credentials, I can access the file normally. It seems strange to me that even though I own the bucket, it is possible for the external user to put files into it that I am unable to access.
Is it possible that there is some policy I can set so I can access the file, or so that I am able to access any file that is added to my bucket, regardless of how it is added? Thanks!
521
If your bucket policy already grants access to the other account, then cross-account users can get Access Denied errors for these reasons: The user's IAM policy doesn't grant access to the bucket. The object is encrypted by AWS Key Management Service (AWS KMS), and the user doesn't have access to the KMS key.
Using cross-account IAM roles simplifies provisioning cross-account access to S3 objects that are stored in multiple S3 buckets. As a result, you don't need to manage multiple policies for S3 buckets. This method allows cross-account access to objects owned or uploaded by another AWS account or AWS services.
Select the group that you just created, e.g. S3OneFS , and click “Group Actions”. Select “Add Users to Group”. Then, select your user, e.g. ObjectiveFS , and click “Add Users”. You can now use your “Access Key ID” and “Secret Access Key” to run ObjectiveFS restricted to a single bucket.
If you're getting Access Denied errors on public read requests that are allowed, check the bucket's Amazon S3 Block Public Access settings. Review the S3 Block Public Access settings at both the account and bucket level. These settings can override permissions that allow public read access.
I believe you have to get the object owner to update the ACL or re-write the object specifying bucket owner full control. The simplest way to experiment with this is using the CLI:
aws s3api put-object-acl --acl bucket-owner-full-control --bucket some-bucket --key path/to/unreadable.txt Yeah, I think you have to do that once for each object, I don't think there is a recursive option.
AWS publishes an example bucket policy to prevent adding objects to the bucket without giving the bucket owner full control. But that will not address ownership of the objects already in your bucket.
I don't know of any policy that will automagically transfer ownership to the bucket owner.
110
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
