Zak
Reputation: 121
Amazon S3 bucket policy to for federated user
I am trying to give a federated user ( ADFS + SAML + STS ) access to an Amazon S3 bucket . I am trying to give the principal as
"Principal": {
"AWS": [
"arn:aws:sts: accountid:federated-user/someuser"
]
}
and
"Resource": "arn:aws:s3:::mybucket"
But I cant seem to get the right access . Any pointers on this
Upvotes: 1
Views: 6323
Answers (2)
Rodel
Reputation: 177
This might be an old post, but the above answer of @alkalinecoffee did help me figure out the best answer for today
IAM role policies now use Conditions a lot:
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<s3bucket>",
"arn:aws:s3:::<s3bucket>/*"
],
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::<AccountID>:role/aws-reserved/sso.amazonaws.com/<region>/<rolename>",
"arn:aws:iam::<AccountID>:assumed-role/<rolename>/<federateduser>"
]
}
}
}
This will block ALL Users except for the federateduser defined in the ArnNotEquals condition.
Upvotes: 2
alkalinecoffee
Reputation: 1013
Does the user assume a specific role first before attempting to access the bucket?
If so, try including both the user and the assumed role in your bucket policy, ie
"AWS": [
"arn:aws:sts::1234567890:assumed-role/User/[email protected]",
"arn:aws:iam::1234567890:role/User"
]
Where User is the role name.
Upvotes: 3
Related Questions
- IAM Role policy for cross account access to S3 bucket in a specific AWS account
- s3 bucket policy for sso user
- S3 bucket policy to grant/restrict access to a specific federated user
- How to write AWS Bucket Policy with SES principal and IAM role principal
- AWS S3 bucket control policy for cross-account access
- AWS S3: Setting a bucket policy for multiple users in an account
- Setting policy for S3 bucket for authorized users
- AWS S3: user policy for specifc bucket
- AWS S3 Policy for authenticated users
- Restricting access to Amazon S3 on object level for federated IAM users