How to add multiple users to Access Control List for many files on S3

Question

I figured out how to give access to other AWS accounts to an S3 bucket. If I understand correctly, the permissions given to the bucket is not the same as the permissions give to each object in the bucket. I want all the objects in the bucket to have the same permissions.

To give users list access to the bucket:

aws2 s3api put-bucket-acl --bucket BucketName --grant-read-acp emailaddress=email1@emal.com,emailaddress=email2@emal.com,… --grant-read emailaddress=email1@emal.com,emailaddress=email2@emal.com,…

To give users list access to one object:

aws2 s3api put-object-acl --bucket BucketName --key myObject.txt --grant-read-acp emailaddress=email1@emal.com,emailaddress=email2@emal.com --grant-read emailaddress=email1@emal.com,emailaddress=email2@emal.com

However, I have hundreds of thousands of objects on S3. How do I grant the same access to all of them using the Amazon Web Service Command Line Interface (AWS CLI)?

Answer 1

This answer is based upon the requirements of:

• Grant Read & List access to whole bucket
• To a list of AWS Accounts

You can attach a Bucket Policy to the Amazon S3 bucket with a list of AWS Account IDs:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::ACCOUNT-ID-1:root",
                    "arn:aws:iam::ACCOUNT-ID-2:root",
                    "arn:aws:iam::ACCOUNT-ID-3:root"
                ]
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET-NAME",
                "arn:aws:s3:::BUCKET-NAME/*"
            ]
        }
    ]
}

This will give access if they use their root login (where they login via an email address), and I think it will also work for an IAM User in their account as long as they have been granted sufficient IAM permissions for Amazon S3 within their own account. (eg s3:* or, more safely, s3:GetObject and s3:ListBucket for the desired bucket)

Answer 2

Since you "want all the objects in the bucket to have the same permissions", and you wish to apply the permissions to a set of users, I would recommend:

• Create an IAM Group
• Assign the desired IAM Users to the IAM Group
• Add a policy to the IAM Group that grants access to the bucket

Here is an example from User Policy Examples - Amazon Simple Storage Service:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListAllMyBuckets"
         ],
         "Resource":"arn:aws:s3:::*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket",
            "s3:GetBucketLocation"
         ],
         "Resource":"arn:aws:s3:::examplebucket"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:GetObject",
            "s3:GetObjectAcl",
            "s3:DeleteObject"
         ],
         "Resource":"arn:aws:s3:::examplebucket/*"
      }
   ]
}

You can modify the policy as desired. The above policy grants permission to:

• See a list of all buckets
• List the contents of a specific bucket
• Get/Put/Delete the contents of a specific bucket

Answer 3

What you are looking for is put-bucket-acl. Here is the AWS documentation.

The example provided is:

aws s3api put-bucket-acl --bucket MyBucket --grant-full-control emailaddress=user1@example.com,emailaddress=user2@example.com --grant-read uri=http://acs.amazonaws.com/groups/global/AllUsers

In your example, you only have the flag --grant-read-acp this does not grant access to the objects in the bucket. Per the documentation, --grant-read-acp "Allows grantee to read the bucket ACL". Not very useful in your case.

Where as --grant-full-control gives read, write, read ACP, and write ACP to the bucket. If you look at the documentation I linked, you can see all the flags allowed.