Menu
I was trying to create a bucket and set full permissions for two more accounts. First, I added those accounts in bucket Permissions. Files were still inaccessible. Then, I tried a policy. I created two roles for each account to specify them in it. Here is that policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccess",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::id:role/user1",
"arn:aws:iam::id:role/user2"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket-name/*",
"arn:aws:s3:::bucket-name"
]
}
]
}
Still nothing. Then I saw, that even though bucket has all the permissions set, files in it don't have any. When I set them for a file, it becomes accessible for other users. But I wouldn't really want to do that for each file I upload. What's wrong?
I tried loading up files with aws cli and set permissions there with a "--grants" option, but after uploading, I can't even download them myself via the aws console.
709
asked Oct 15 '25 21:10
If a bucket policy grants access to an object, you do not need to also grant access at the object-level.
The bucket policy you have listed would grant access to the bucket if it is being accessed via credentials that are issued from a role that is called user1 or user2. (It's quite strange that you are giving 'user' prefixes to role names.)
For example, if you have an Amazon EC2 instance that is assigned an IAM role called user1, then it will be automatically given credentials to access the bucket.
If user1 and user2 are actually users, then the ARN should be:
arn:aws:iam::id:user/user1
In this case, the bucket will be accessible when accessed the that user's credentials.
Update:
I think it actually needs permissions to be assigned in two locations:
s3:* permissions against * resources, then this isn't needed. At a minimum it needs permissions against S3 for the desired bucket.
92
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
