Reputation: 546
Authenticating and using iAM users to access S3
My use case is to allow users to create new user/password, create a folder for each user and allow them to upload files.
Then when they come back, they can login with the user/password and download their files (which are used within our product)
I managed to get most of the staff done using the C# API - very happy! The only problem is that I cannot find a way to authenticate the user with IAM - using the username/password.
I don't want the end user to worry about key/secrets and long strings, they are suppose to be able to transfer these details (and access to data files) with other users to help them.
Is there a way to authenticate an IAM username/password? Thanks, Uri.
Upvotes: 2
Views: 4057
Answers (3)
Reputation: 116878
As far as I understand the question, this seems to be available. You just need to have them log into the console from the sign-in link provided on the AWS IAM homepage.
You will then need to assign a password to the user account in question and add a policy for them so they can access the S3 bucket in question. You need the list all my buckets to get past the first screen of the console. I just tried it and something like the following works:
{
"Statement": [
{
"Sid": "Stmt1363222128",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Sid": "Stmt136328293",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::your_bucket_name"
]
}
]
}
Upvotes: 1
Reputation: 7200
You need to use 'federated access' - with that you have users with accounts and passwords on your system. Then they authenticate with your system, and you grant them access for up to 36 hours through a session based system (encrypted cookie, or memcache etc) to have access to their folder.
You can do this with a web application or with a standalone C# windows app that authenticates to your server.
With a web app, your users log in, user/pass, then you store an encrypted cookie or similar, so that your web app can make pre signed posts, download files, etc while they are logged in. There is no need for them to ever see an AWSID/Secret.
Upvotes: 2
Reputation: 5286
No. You will need to use the key/secrets. That is the short answer. When you create a new user in IAM it will give that specific user their own key/secrets. All they need to do is login, grab their key/secret and punch it in.
Manage IAM users and their access - You can create users in IAM, assign users individual security credentials (i.e., access keys, password, Multi Factor Authentication devices) or request temporary security credentials to provide users access to AWS services and resources. You can manage permissions to control which operations a user can perform. - aws.amazon.com/iam
Upvotes: 0
Related Questions
- Role-based cross-account S3 access
- S3 access to only one IAM user
- AWS IAM access to s3
- Enabling AWS IAM Users access to shared bucket/objects
- How IAM users sign into AWS accounts?
- AWS EC2 access to S3 with IAM role
- How do I generate authenticated S3 urls using IAM roles?
- AWS S3 grant access to single IAM user
- How can I share Amazon S3 content with MFA protection via IAM?
- Amazon IAM User + Granting Access to S3