Reputation: 631
Folder Specific IAM Permissions for boto3 S3 API Calls
So I have a user whose IAM permissions are set to the following. It is meant to only allow them Create/Delete/List/etc. objects in the "Target_Folder/" for the bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt123456789",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket/Target_Folder/*"
]
}
]
}
Using boto3, I embed the relevant aws_access_key_id and aws_secret_access_key in the config. After doing this, I find I am unable to preform any actions within the "/Target_Folder/" such as:
import boto3
import boto.s3.transfer
#Need to manually import S3Transfer() for some reason.
from boto.s3.transfer import S3Transfer
bucket = 'bucket'
prefix = 'Test_Folder/'
client = boto3.client(s3)
#Attempt to print objects under the Target_Folder
response = client.list_objects(Bucket = bucket, Prefix = prefix)
for file in response['Contents']:
print(file['key'])
#Attempt to upload file
transfer = S3Transfer(client)
transfer.upload_file('C:/filepath/file', bucket, prefix)
Ultimately, no matter what approach, I receive a "botocore.exceptions.ClientError: An error occured (SignatureDoesNotMatch)....". Conversely, if I use a key/secret_key pair with much more open bucket permissions, I have no issues interacting with the API.
Apologies if this has been answered or clarified in another thread, I could not find any good ones while searching.
Upvotes: 1
Views: 4153
Answers (1)
Reputation: 45293
First, the s3 bucket bucket should exist.
You need to assign s3:ListBucket permission on the s3 bucket, then you can give the object access permission in this bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource":"arn:aws:s3:::bucket"
},
{
"Sid": "Stmt123456789",
"Effect": "Allow",
"Action": [
"s3:CreateBucket", # and this should be removed.
"s3:DeleteObject",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket/Target_Folder/*"
]
}
]
}
Upvotes: 5
Related Questions
- Setting specific permission in amazon s3 boto bucket
- Connect to Amazon S3 with boto3 with IAM roles
- boto3 : Create a S3 bucket with ACLs disabled
- AWS CLI and BOTO3 SDK (permissions issue)
- How to grant full permissions on an S3 bucket for an IAM user using boto3?
- Boto s3 permission issue
- Add permission to a S3 object in AWS using Python and boto3
- Specifying IAM roles for permissions in AWS S3
- AmazonS3 - connecting with Python Boto according specific permissions
- How can I programmatically check Amazon S3 permissions with boto?