stackoom
  简体   繁体   中英

AmazonS3FullAccess managed policy on a group doesn't give S3 permission?

 原文  2015-02-26 12:20:05       amazon-web-services/ amazon-s3

Question

I have an S3 bucket that has in its policy permission for my CloudFront origin access identity: 

{
  "Version": "2008-10-17",
  "Id": "PolicyForCloudFrontPrivateContent",
  "Statement": [
    {
      "Sid": "1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <mine>"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<my-bucket>/*"
    }
  ]
}

Additionally I've created a group and attached the AmazonS3FullAccess managed policy to it and added an IAM user to that group. The managed policy looks like this: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}

However when that user tries to add anything to the bucket, I get a 403 (access denied). I'm unsure if any other operations work, I haven't written code to try them. It's only when I specifically allow that user's ARN access to the bucket directly in the bucket policy that they're allowed to add objects. What am I missing? It seems like the above group policy should allow members of that group access to all operations in all buckets, but it doesn't do that.

EDIT: After a whole bunch more poring over documentation, I think I've figured out that Amazon doesn't intend for groups to be used this way. They want you to use roles instead, which you can assign to an EC2 instance for automagic credential management. That's fine, but then I can't figure out how to test my code (using the aws-sdk Ruby gem) locally. Amazon says to define environment variables for your access ID and key - but what access ID and key? There's no such thing for a role...

1 answers

solution1
 0  2018-02-28 03:24:38

Try replacing (in your policy): 

"Resource": "arn:aws:s3:::<my-bucket>/*"

with: 

"Resource": ["arn:aws:s3:::<my-bucket>", "arn:aws:s3:::<my-bucket>/*",]

and: 

"Principal": {"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <mine>"},

with: 

"Principal": {"AWS": "arn:aws:iam::ACCOUNT_ID:user/USERNAME"},

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question S3: Access Denied even with AmazonS3FullAccess attached Which policy to choose between AdministratorAccess and Amazons3FullAccess aws/sdk error on deleting object in node js even after AmazonS3FullAccess, correct bucket policy and not blocking any public access AWS Glue Crawler Access Denied with AmazonS3FullAccess attached S3 AccessDenied doesn't match policy Permission denied for IAM policy to S3 bucket Why Doesn't My AWS S3 Bucket Policy Override My IAM Policy? Amazon IAM permissions limit S3FullAccess permission to one bucket AmazonS3Exception: Access Denied S3 AWS Root User Permission Denied on S3 Bucket policy
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM