Reputation: 81
AWS IAM Global Condition Key aws:PrincipalOrgPaths throws an Access Denied
I'm trying to use the IAM Global Condition Key aws:PrincipalOrgPaths in an S3 bucket policy, but I keep getting an "Access denied" error. I am able to use the Key aws:PrincipalOrgID just fine. The sanitized bucket policy below is what I am trying to use.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MyOrgOnly",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::thebucketofmydreams",
"arn:aws:s3:::thebucketofmydreams/*"
],
"Condition": {
"ForAnyValue:StringLike": {
"aws:PrincipalOrgPaths": "o-funny/r-stuff/ou-path"
}
}
}
]
}
Upvotes: 1
Views: 2321
Answers (2)
Reputation: 81
So, the final answer is that it was a syntax error. The PrincipalOrgPaths requires square brackets, even though it is a single entity. If you try this, you'll notice that once accepted, the square brackets will be stripped out of the final policy. Thanks, AWS!
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MyOrgOnly",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::thebucketofmydreams",
"arn:aws:s3:::thebucketofmydreams/*"
],
"Condition": {
"ForAnyValue:StringLike": {
"aws:PrincipalOrgPaths": ["o-funny/r-stuff/ou-path"]
}
}
}
]
}
Upvotes: 7
Reputation: 111
Please change PrincipleOrgPaths conditions from "aws:PrincipalOrgPaths": "o-funny/r-stuff/ou-path/" to "aws:PrincipalOrgPaths": "o-funny/r-stuff/ou-path/*" so all can access under the organization path. You are missing * here
Upvotes: 0
Related Questions
- How to fix AWS Config generating AccessDenied error?
- IAM Policy: Users cannot access S3 bucket
- S3 IAM policy for one bucket not granting access
- AWS IAM bucket permissions access denied
- AWS IAM policy issue
- EC2 cannot access S3 object via IAM role
- AWS-IAM policy on access key giving error message
- Allow IAM user to access single, access denied
- IAM user policy returning 403 Forbidden on Amazon S3 bucket
- AWS EC2 access to S3 with IAM role