Reputation: 1111
Can't download files uploaded by shared account s3 bucket
I have created a bucket on amazon s3 and added bucket policy giving another user account access to upload files to it. I added the following bucket policy.
However, now I am myself unable to download the files uploaded by the sharer. I guess I havn't given them acl rights. How should I proceed to download the files. Can they grant permission from their end for their uploaded files?
{
"Version": "2008-10-17",
"Id": "Policyxxxxxxxxxxxx",
"Statement": [
{
"Sid": "Stmtxxxxxxxxxxxxx",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_number>:root"
},
"Action": [
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<bucket_name>/*"
},
{
"Sid": "Stmtxxxxxxxxxxx",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_number>:root"
},
"Action": [
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::<bucket_name>"
}
]
}
Upvotes: 11
Views: 14003
Answers (4)
Reputation: 10224
Was facing a similar situation that the destination account was not granted full access that the bucket policy granting cloudfront read access does not work.
In addition to OP's "s3:x-amz-grant-full-control":[ "[email protected]" ], or id=xxx, another way is to use the Canned ACL. By using the bucket-owner-full-control, we do not have to list a specific email or canonical id.
{
"Statement":[
{
"Effect":"Allow",
"Principal":{"AWS":"111111111111"},
"Action":"s3:PutObject",
"Resource":["arn:aws:s3:::examplebucket/*","arn:aws:s3:::examplebucket"]
},
{
"Effect":"Deny",
"Principal":{"AWS":"111111111111"},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::examplebucket/*",
"Condition": {
"StringNotEquals": {"s3:x-amz-acl":"bucket-owner-full-control"}
}
}
]
}
Upvotes: 1
Reputation: 1
I faced a similar problem
I copied files from <sharerprofile> to a new amazon account in the bucket <bucketname>
and i could not download the files from the new amazon account because of access protection.
So i did the following :
aws --profile <sharerprofile> s3api put-object-acl --acl authenticated-read --bucket <bucketname> --key <pathofthefileInBucket>
I did not find how to do this automatically for multiple files, so i had to repeat the same command for each file
Upvotes: 0
Reputation: 1111
So the problem is that the amazon s3 bucket applies bucket policy to only objects owned by bucket owner. So if you are the bucket owner and gave put object permission through bucket policy that mean you also need to make sure they give you permission during the object upload. While granting cross-account permissions to upload objects one can restrict only objects which comes with read permission only.
Source: http://docs.aws.amazon.com/AmazonS3/latest/dev/AccessPolicyLanguage_UseCases_s3_a.html Related discussion : https://forums.aws.amazon.com/thread.jspa?messageID=524342&%20#524342 Example bucket policy :
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"111",
"Effect":"Allow",
"Principal":{
"AWS":"1111111111"
},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::examplebucket/*"
},
{
"Sid":"112",
"Effect":"Deny",
"Principal":{
"AWS":"1111111111"
},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::examplebucket/*",
"Condition":{
"StringNotEquals":{
"s3:x-amz-grant-full-control":[
"[email protected]"
]
}
}
}
]
}
Upvotes: 7
Reputation: 644
If your using IAM user account you should use the IAM Policy Tester to see exactly how those policy changes will look like once you have deployed them.
http://docs.aws.amazon.com/IAM/latest/UsingPolicySimulatorGuide/iam-policy-simulator-guide.html
Upvotes: -1
Related Questions
- Amazon S3 File Permissions, Access Denied when copied from another account
- S3 cross account file transfer, file not accessible
- EC2 instance does not have rights to download file
- Not able to download file from AWS S3 Access Denied Error
- IAM user with full S3 access cannot download file
- How to download S3 bucket files without AWS account
- Error During downloading files from S3 to EC2
- Why can't I download files from s3 bucket, when permissions are set?
- Unable to download file from Amazon S3
- Cannot download from AWS S3: Access Denied