Amazon S3, how to create a user that can create buckets and manage them (read, write)?
Question
I've tried to create an IAM policy with just what I wanted, but it requires an ARN, and I don't know what to put there.
What I want is simple: Have some credentials that I can use to create buckets, create files and/or remove them, nothing else.
How can I achieve this?
1 answers
solution1
0 ACCPTED 2017-04-26 04:25:35
Strictly speaking, this policy will permit bucket creation, object creation and object deletion:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"s3:CreateBucket"
],
"Resource": [
"*"
]
},
{
"Sid": "Statement2",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:PutObject"
],
"Resource": [
"*"
]
}
]
}
However, it's a bit restrictive. For example, objects can be deleted with aws s3api delete-object but aws s3 rm will fail because it makes other calls as part of the removal process. So, you might need to experiment to get it working fully for your needs.
I've listed them as two separate statements because you might want to restrict them to particular buckets, in which case the syntax would be:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"s3:CreateBucket"
],
"Resource": [
"*"
]
},
{
"Sid": "Statement2",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::my-bucket/*"
]
}
]
}
The second statement grants permissions within a specific bucket .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.