Menu
Policy json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "...",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bucket-name"
]
}
]
}
This is whats shown as a warning in the AWS console:
This policy defines some actions, resources, or conditions that do not provide permissions. To grant access, policies must have an action that has an applicable resource or condition.
There is even link provided in that warning that goes here: http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_policies.html?icmpid=docs_iam_console#policy-summary-not-grant-permissions
But trying what they suggest doesn't help, the policy summary still complains and I still can't access the bucket from my code.
Update: When I set the resource to "Resource": "*" it stops complaining in the console but the code still can't upload to the bucket.
Update2: The problem was that the bucket name in my code wasn't correct (as I tried a different tutorial and have not changed the bucketname in it).
988
You grant access to a resource by setting an Identity and Access Management (IAM) policy on the resource. The policy binds one or more members, such as a user or a service account, to one or more roles. Each role contains a list of permissions that let the member interact with the resource.
There are two different types of users in AWS. You are either the account owner (root user), or you are an AWS Identity and Access Management (IAM) user.
To assign permissions to a user, group, role, or resource, you create a policy that lets you specify: Actions – Which AWS service actions you allow. For example, you might allow a user to call the Amazon S3 ListBucket action. Any actions that you don't explicitly allow are denied.
You should use IAM roles to grant access to your AWS accounts by relying on short-term credentials, a security best practice. Authorized identities, which can be AWS services or users from your identity provider, can assume roles to make AWS requests. To grant permissions to a role, attach an IAM policy to it.
However, the policy still does not provide any permissions because there is no case where a single action matches both conditions. Instead, you must create two separate statements that each include only actions with the conditions to which they apply. To fix this policy, create two statements.
A Conditional Access policy must contain at minimum the following to be enforced: 1 Name of the policy. 2 Assignments Users and/or groups to apply the policy to. Cloud apps or actions to apply the policy to. 3 Access controls Grant or Block controls
To learn about these and other policy elements, see IAM JSON policy elements reference. To grant access, your policy must define an action with a supported resource. If your policy also includes a condition, that condition must include a global condition key or must apply to the action.
If there is a policy that is configured to block access, with the block grant control, enforcement will stop here and the user will be blocked. The user will be prompted to complete additional grant control requirements that were not satisfied during phase 1 in the following order, until policy is satisfied:
One of the reasons I encounter is that I list the bucket resource as:
arn:aws:s3:::my-datasets
arn:aws:s3:::my-datasets/*
But under my "my-datasets" bucket there is no child folder. Thus the "/*" confuses AWS because when it evaluates this policy it can't find anything under "my-datasets". After I created a new folder under "my-datasets" the warning is gone.
50
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
