Reputation: 37095
I need an Amazon S3 user with full access to a single bucket
I have a user foo with the following privileges (it's not a member of any group):
{
"Statement": [
{
"Sid": "Stmt1308813201865",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bar"
}
]
}
That user however seem unable to upload or do much of anything until I grant full access to authenticated users (which might apply to anyone). This still doesn't let the user change permission as boto is throwing an error after an upload when it tries to do do key.set_acl('public-read').
Ideally this user would have full access to the bar bucket and nothing else, what am I doing wrong?
Upvotes: 37
Views: 44181
Answers (9)
Reputation: 917
Another way I was recently able to get this to work was using Amazon's documentation. The key for me was to point the IAM User to the specific bucket NOT the S3 console. Per the documentation, "Warning: After you change these permissions, the user gets an Access Denied error when they access the main Amazon S3 console. The main console link is similar to the following:
https://s3.console.aws.amazon.com/s3/home
Instead, the user must access the bucket using a direct console link to the bucket, similar to the following:
https://s3.console.aws.amazon.com/s3/buckets/awsexamplebucket/"
My policy is below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1589486662000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::AWSEXAMPLEBUCKET",
"arn:aws:s3:::AWSEXAMPLEBUCKET/*"
]
}
]
}
Upvotes: 1
Reputation: 1
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::YOUR-BUCKET",
"arn:aws:s3:::YOUR-BUCKET/*"
]
}
]
}
Upvotes: 0
Reputation: 6129
@cloudberryman's answer is correct but I like to make things as short as possible. This answer can be reduced to:
{
"Statement":[
{
"Effect":"Allow",
"Action":"S3:*",
"Resource":[
"arn:aws:s3:::bar",
"arn:aws:s3:::bar/*"
]
}
]
}
Upvotes: 0
Reputation: 9305
There is an official AWS documentation at Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket
Just copy and paste the appropriate rule and change the "Resource" key to your bucket's ARN in all Statements.
For programamtic access the policy should be:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::bar"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::bar/*"]
}
]
}
And for console access access should be:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::bar*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::bar"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::bar/*"]
}
]
}
Upvotes: 6
Reputation: 73
If you've been pulling your hair out because you cannot figure out why Cyberduck is not being able to set object ACLs but it works with another client (like Panic Transmit) here is the solution:
You need to add s3:GetBucketAcl to your Action list, eg:
{
"Statement": [
{
"Sid": "Stmt1",
"Action": [
"s3:GetBucketAcl",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::your-bucket-name"
}
]
}
Of course you don't need to do this if you are less restrictive with s3:* but I think this is good to know.
Upvotes: 0
Reputation: 1365
That works for me:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Resource": "arn:aws:s3:::bucket_name_here"
},
{
"Effect": "Allow",
"Action": [
"s3:*Object*",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
],
"Resource": "arn:aws:s3:::bucket_name_here/*"
}
]
}
Upvotes: 0
Reputation: 9571
The selected answer didn't work for me, but this one did:
{
"Statement": [
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
],
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
}
Credit: http://mikeferrier.com/2011/10/27/granting-access-to-a-single-s3-bucket-using-amazon-iam/
Upvotes: 23
Reputation: 4698
You need to grant s3:ListBucket permission to the bucket itself. Try the policy below.
{
"Statement": [
{
"Effect": "Allow",
"Action": "S3:*",
"Resource": "arn:aws:s3:::bar/*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bar",
"Condition": {}
}
]
}
Upvotes: 44
Related Questions
- Create a single IAM user to access only specific S3 bucket
- S3 access to only one IAM user
- how I grant s3 bucket access with this particular role?
- Allow IAM user to access single s3 bucket
- How can I set up Amazon S3 bucket permission to an IAM user?
- ELI5: How to grant a single user full access to an S3 bucket?
- How do I restrict an IAM user to just 1 bucket?
- AWS S3 - How to restrict an IAM user to just a single bucket?
- AWS S3 grant access to single IAM user
- Amazon IAM User + Granting Access to S3