Reputation: 720
Verifying S3 credentials w/o GET or PUT using boto3
Is there a way to verify a given set of S3 credentials has access to a specific bucket without doing an explicit PUT or GET of some sort?
Instantiating an s3.Client, s3.Resource or s3.Bucket object doesn't seem to verify credentials at all, let alone bucket access.
boto3 1.4.7. python 2.7.13.
We have automation and orchestration that automates bucket creation and I want to include a piece that verifies a user's access key and secret. I know the bucket exists at this point since I created it. The bucket is empty.
I want to verify a user has access w/o doing a PUT operation.
Thanks for any help.
* update *
I ended up doing this with an s3.Client object:
objects = client.list_objects(Bucket=cfg['bucket'])
Since the bucket is empty this is a lightweight operation and a one-liner for the most part. (wrapped in a try block)
Upvotes: 8
Views: 5456
Answers (2)
Reputation: 52393
Use head_bucket.
head_bucket(**kwargs)
This operation is useful to determine if a bucket exists and you have permission to access it.
If you don't have access, you will get an exception:
botocore.exceptions.ClientError: An error occurred (403) when calling the HeadBucket operation: Forbidden
Modify this Python 2.7 code to suit to your needs:
import boto3
s3 = boto3.client('s3')
try:
s3.head_bucket(Bucket='mybucket')
print 'Can access the bucket'
except:
print 'Cannot access the bucket'
Upvotes: 3
Reputation: 16003
Yes, you can use IAM policy simulation for that. Here's an example:
import boto3
iam = boto3.client('iam')
sts = boto3.client('sts')
# Get the arn represented by the currently configured credentials
arn = sts.get_caller_identity()['Arn']
# Create an arn representing the objects in a bucket
bucket_objects_arn = 'arn:aws:s3:::%s/*' % 'my-test-bucket'
# Run the policy simulation for the basic s3 operations
results = iam.simulate_principal_policy(
PolicySourceArn=arn,
ResourceArns=[bucket_objects_arn],
ActionNames=['s3:PutObject', 's3:GetObject', 's3:DeleteObject']
)
for result in results['EvaluationResults']:
print("%s - %s" % (result['EvalActionName'], result['EvalDecision']))
You can find all the s3 actions here.
One caveat to this is that IAM is eventually consistent, so if you're creating users on the fly you still might have to wait a bit for the changes to propagate.
Upvotes: 12
Related Questions
- How to specify credentials when connecting to boto3 S3?
- Verify AWS Credentials with boto3
- boto3 s3 initialized session return credentials
- Downloading Files on a Public S3 Bucket Without Authentication Using Python
- Using boto for AWS S3 Buckets for Signature V4
- Download a file from S3 Bucket using boto3 by passing credentials as parameters
- Using Boto to connect to S3 with Python
- How do you perform a credentialed download from s3 using boto3 without saving a file?
- s3 connection to 'folder' via boto
- How can I programmatically check Amazon S3 permissions with boto?