Reputation: 1569
How to match S3 bucket name suffix against usename prefix
I want to setup a policy inside AWS IAM service to allow users following specific pattern to connect to S3 buckets which names are following the specific pattern.
My users looks like archiver_clientname, my buckets look like clientname_archive. So far I read through this and this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
"Condition": {"StringLike": {"${s3:prefix}": ["${aws:username:suffix}/*"]}}
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::EXAMPLE-BUCKET-NAME"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::EXAMPLE-BUCKET-NAME/*"
}
]
}
${s3:prefix} and ${aws:username:suffix} are some variables which I made up, well ${s3:prefix} actually exists but I'm not sure if that does what I expect it to be doing. It would be great to be able to match my bucket names against my user names without renaming them because otherwise names will not be speaking and be just client-names, though I have other buckets with different purposes. It will be Ok to swap user prefix and suffix or use different separator though. And looks like the policy tool has enough flexibility to solve my task I just can't find the right documentation somehow.
I also do not want to setup a new policy for each user.
I will be happy with the answer that my approach is wrong with a good explanation why it is wrong and what I can do instead.
Upvotes: 1
Views: 1374
Answers (1)
Reputation: 36043
First off, when a user gets the list of buckets, it's not possible to limit the list that is returned to the user. So, don't put a condition on the "s3:ListAllMyBuckets" action. Either they see all the buckets, or they see none.
Next, you cannot "split apart" the username. The IAM policy language isn't that sophisticated. If your username is "archiver_username", then you should be able to match it to a bucket "archiver_username_archive" by using the `${aws:username} variable in the resource:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::${aws:username}_archive"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::${aws:username}_archive/*"
}
]
}
But the language does not permit you to match a bucket called "username_archive".
Upvotes: 4
Related Questions
- Amazon Web Services : Setting S3 policy to allow putObject and getObject but deny listBucket
- getting "The bucket does not allow ACLs" Error
- Is there an S3 policy for limiting access to only see/access one bucket?
- How to add a "s3:ListBucket/" to give access to a bucket
- Amazon S3 buckets inside master account not getting listed in member accounts
- AWS S3 IAM grant access to buckets based on tags
- s3 Policy has invalid action - s3:ListAllMyBuckets
- Overwrite the permissions of the S3 object files not owned by the bucket owner