Why can't I download files from s3 bucket, when permissions are set?

Question

I was trying to create a bucket and set full permissions for two more accounts. First, I added those accounts in bucket Permissions. Files were still inaccessible. Then, I tried a policy. I created two roles for each account to specify them in it. Here is that policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::id:role/user1",
                    "arn:aws:iam::id:role/user2"
                ]
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucket-name/*",
                "arn:aws:s3:::bucket-name"
            ]
        }
    ]
}

Still nothing. Then I saw, that even though bucket has all the permissions set, files in it don't have any. When I set them for a file, it becomes accessible for other users. But I wouldn't really want to do that for each file I upload. What's wrong?

I tried loading up files with aws cli and set permissions there with a "--grants" option, but after uploading, I can't even download them myself via the aws console.

Answer 1

To demonstrate how this works, I did the following:

• Created bucket-1 in Account-1
• Assigned this bucket policy:

.

{
    "Id": "Account1Policy",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowBucketAccess",
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::bucket-1",
                "arn:aws:s3:::bucket-1/*"
            ],
            "Principal": {
                "AWS": [
                    "arn:aws:iam::222222222222:user/account-2-user"
                ]
            }
        }
    ]
}

This policy says: Allow account2:account-2-user to do anything with account1:bucket-1

• Created account-2-user in Account-2
• Gave the user this inline policy:

.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowBucket1Access",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-1",
                "arn:aws:s3:::bucket-1/*"
            ]
        }
    ]
}

This policy says: Allow the user to whom this policy is attached permission to do anything with bucket-1

If both the bucket and the user were in the same account, this policy would be sufficient to grant full access to the bucket. However, because bucket-1 actually belongs to a different account, the first policy (above) is also required so that account-1 actually grants access. This means that the 2nd policy isn't actually granting access to the bucket - it is merely granting permission for account-user-2 to make a request to access the bucket. The real access is granted in the first policy.

I then successfully used the credentials of account-2-user to access bucket-1:

$ aws s3 cp foo.txt s3://bucket-1 --profile account-2-user
upload: ./foo.txt to s3://bucket-1/foo.txt    

Answer 2

If a bucket policy grants access to an object, you do not need to also grant access at the object-level.

The bucket policy you have listed would grant access to the bucket if it is being accessed via credentials that are issued from a role that is called user1 or user2. (It's quite strange that you are giving 'user' prefixes to role names.)

For example, if you have an Amazon EC2 instance that is assigned an IAM role called user1, then it will be automatically given credentials to access the bucket.

If user1 and user2 are actually users, then the ARN should be:

arn:aws:iam::id:user/user1

In this case, the bucket will be accessible when accessed the that user's credentials.

Update:

I think it actually needs permissions to be assigned in two locations:

1. On the Bucket in Account-1, as per above (which says that the bucket is permitting access from a user/role in another account), AND
2. On the user/role in Account-2 as well, which says that the administrator of Account-2 is permitting that user/role to call S3. If the user/role already has s3:* permissions against * resources, then this isn't needed. At a minimum it needs permissions against S3 for the desired bucket.