CODEWITHSUNDEEP
amazon-web-servicesamazon-s3amazon-iam
Martin Bean
Martin Bean

Reputation: 39389

S3 IAM policy works in simulator, but not in real life

I have a client who I want to be able to upload files, but not navigate freely around my S3 bucket. I’ve created them an IAM user account, and applied the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1416387009000",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "Stmt1416387127000",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::progress"
            ]
        },
        {
            "Sid": "Stmt1416387056000",
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::progress/*"
            ]
        }
    ]
}

There are three statements:

  1. Ability to list all buckets (otherwise they can’t see anything in the S3 console when they log in)
  2. Ability to list the contents of the progress bucket
  3. Ability to put objects in the progress bucket

The user can log in to the AWS console with their username and password (and my custom account URL, i.e. https://account.signin.aws.amazon.com/console). They can go to the S3 section of the console, and see a list of all my buckets. However, if they click progress then they just get the following error message:

Sorry! You were denied access to do that.

I’ve checked with the IAM Policy Simulator whether the user has the ListBucket permission on the bucket’s ARN (arn:aws:s3:::progress) and the Policy Simulator says the user should be allowed.

I’ve logged out and in again as the target user in case policies are only refreshed on log out, but still no joy.

What have I done wrong? Have I missed something?

Upvotes: 3

Views: 3639

Answers (1)

mkobit
mkobit

Reputation: 47259

My guess is that when using the AWS console another call is made to get the bucket location before it can list the objects in that bucket, and the user doesn't have permission to make that call. You need to also give he account access to GetBucketLocation. Relevant text from the documentation

When you use the Amazon S3 console, note that when you click a bucket, the console first sends the GET Bucket location request to find the AWS region where the bucket is deployed. Then the console uses the region-specific endpoint for the bucket to send the GET Bucket (List Objects) request. As a result, if users are going to use the console, you must grant permission for the s3:GetBucketLocation action as shown in the following policy statement:

{
   "Sid": "RequiredByS3Console",
   "Action": ["s3:GetBucketLocation"],
   "Effect": "Allow",
   "Resource": ["arn:aws:s3:::*"]
}

Upvotes: 5

Related Questions