Reputation: 853
My app lets user login using Google Plus. I have a common bucket for all my users. Anyone can upload/download files. But the problem is anyone can delete the file. How do I set the permissions so that anyone can upload/download files, but only the user who has uploaded the file can delete the file?
This is my
Roles->Inline Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::uni-cloud/*"
]
}
]
}
Upvotes: 0
Views: 5180
Reputation: 2437
Upload and Delete files for specific S3 bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListStorageLensConfigurations",
"s3:ListAccessPointsForObjectLambda",
"s3:GetAccessPoint",
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:PutAccessPointPublicAccessBlock",
"s3:ListJobs",
"s3:PutStorageLensConfiguration",
"s3:ListMultiRegionAccessPoints",
"s3:CreateJob"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<bucketName>",
"arn:aws:s3:::<bucketName>/*"
]
}
]
}
Upvotes: -1
Reputation: 156
If you create folders for every user in that bucket , then you can let them delete only the objects in that folder. You can do it using IAM policies , visit here
Upvotes: 1
Reputation: 270114
Objects stored in Amazon S3 do not identify "the user who has uploaded the file". Therefore, you'll need some other way of identifying which files they are allowed to access.
The simplest method would be to give each user their own sub-directory and then grant them permission to upload/download/delete objects only in that sub-directory.
You could then create a Role that uses IAM Policy Variables that grant permission, using the user's identifier as the name for a sub-directory. The policy would look something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition": {"StringLike": {"s3:prefix": ["${aws:username}/*"]}}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/${aws:username}/*"]
}
]
}
Upvotes: 2