AWS S3 policy conditional access based on request params

Question

I am trying to use one IAM user to have conditional access to multiple S3 buckets. Condition should be something like, to getObject I can send additional param or token in request that verifies my access to that bucket.

I tried to use authorization based on tags for s3 with condition

"Condition": {
               "StringEquals": {
                    "aws:ExistingObjectTag/token": "value"
                }
            }

can that value be dynamic so that i can access objects based on tags from a single IAM user?

Answer 1

It appears you want to be able to grant an IAM User access to specific objects.

The method you show (presumably from Object Tagging - Amazon Simple Storage Service) is a way of granting access to objects with a specific Tag Key/Value combination. So, if an object has that tag, then they can access it.

Your suggestion of providing a "token in request that verifies my access to that bucket" is not great for security, since anybody could access it if they know the token. It would be a little bit like using hard-to-guess filenames, which is not a good form of security.

The closest thing to what you desire is a pre-signed URL, which is a time-limited URL that grants temporary access to private objects. Normally, users interact with an application. When a user requests access to an object, the application can generate the pre-signed URL. For example, you might be using a photo-sharing service that has public and private pictures. If you wish to view one of your private pictures, the application can generate a URL that provides access for a limited time (eg 5 minutes). After the expiry period the link no longer works.

See: Share an Object with Others - Amazon Simple Storage Service