Amazon S3: Temporary Credentials

Question

I have setup a webservice to create temporary credentials to a bucket in amazon s3 so that another application can use these temporary credentials to upload files.

I want to create individual folders in the bucket for each userId and the temporary credentials will only allow access to the folder for the particular user

Here is the policy that I am currently using

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "1",
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::myTestBucket/1/*"
        ]
    }
]

}

So far, this allows the calling applications to upload files to the folder 1 in myTestBucket and not the folder 2, which is expected. One of the applications now needs to list the objects within the folder for each of the users.

Using this same policy I get the following exception when I do this with the temporary credentials

Status Code: 403, AWS Service: Amazon S3, AWS Request ID: 7BC4C177E8CA1762, AWS Error Code: AccessDenied, AWS Error Message: Access Denied

Can anyone suggest what needs to be updated in my policy in order to allow me to list files?

Answer 1

The list bucket operation is on the bucket, so your policy must be updated to allow specific operations on the bucket

Using a policy like the one below would give users ability upload, get and delete their files and list their files:

{
  "Version": "2012-10-17",
  "Statement": [
     {
       "Effect":"Allow",
       "Action":["s3:PutObject","s3:GetObject","s3:DeleteObject"],
       "Resource":"arn:aws:s3:::__MY_APPS_BUCKET_NAME__/__USERNAME__/*"
     },
     {
       "Effect":"Allow",
       "Action":"s3:ListBucket",
       "Resource":"arn:aws:s3:::__MY_APPS_BUCKET_NAME__",
       "Condition":{"StringLike":{"s3:prefix":"__USERNAME__/"}}
     }
  ]
}