为什么即使我在存储桶策略中授予用户也无法访问我们的 S3 存储桶？

Question

Some other users in my organization need access to our S3 bucket. I went to the bucket policy, copied and pasted an existing section and put in the account IDs they gave me (what I call ABC and DEF).

They tried and still get denied when trying to List Object. Is there something else I need to do?

Do the wildcards like List* actually work, or do I have to say ListObject? Someone had done that elsewhere in the policy.

{
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::AWS-account-id-ABC:role/prod-role",
            "arn:aws:iam::AWS-account-id-DEF:role/dev-role"
        ]
    },
    "Action": [
        "s3:Get*",
        "s3:Put*",
        "s3:List*"
    ],
    "Resource": "arn:aws:s3:::bucket_name/*"
}

Answer 1

As the principals are in different AWS accounts both the IAM policy and bucket policy are in effect.

Check the IAM policy attached to those roles for the S3:ListBucket permission. ( S3:ListBucket is the permission name that allows users to list objects in a bucket. ListObjects is the API call.)

Answer 2

According to the documentation , ListBucket requires a bucket resource (NOT an object resource that you provided). Therefore, I think you should modify the policy as follows.

{
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::AWS-account-id-ABC:role/prod-role",
            "arn:aws:iam::AWS-account-id-DEF:role/dev-role"
        ]
    },
    "Action": [
        "s3:Get*",
        "s3:Put*"
    ],
    "Resource": "arn:aws:s3:::bucket_name/*"
},
{
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::AWS-account-id-ABC:role/prod-role",
            "arn:aws:iam::AWS-account-id-DEF:role/dev-role"
        ]
    },
    "Action": [
        "s3:ListBucket"
    ],
    "Resource": "arn:aws:s3:::bucket_name"
}