stackoom
  简体   繁体   中英

Why this AWS IAM policy only works with an asterisk on the resource?

 原文  2017-07-14 16:53:09       python/ amazon-web-services/ amazon-s3/ boto3/ amazon-iam

Question

I'm trying to download some files I already uploaded to S3 with some Python code, but I'm getting headaches trying to use a tight policy.

I can list all the files in the bucket, but when I try do download them with what I see as a correct policy, I get botocore.exceptions.ClientError: An error occurred (403) when calling the HeadObject operation: Forbidden

Then, when I was trying to add a different policy that worked for 2 different buckets, I added part of the bucket's name, then the asterisk, and for some reason, the same exact thing worked.

So can someone tell me why this happens?

This for example, is what works like a charm: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1499955913000",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::THE-BEGINING-OF-THE-NAME*"
        }
    ]
}

But this doesn't: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1499955913000",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::THE-EXACT-COMPLETE-FULL-NAME"
        }
    ]
}

I can add the python code for the download if it's relevant, but this questions seems long enough, and the code is pretty straightforward

1 answers

solution1
 2  2017-07-14 17:07:40

Seems I just needed some rubber duck debugging, the answer was I think counter intuitive, but easy:

It seems the ARN it's not only an identifier for the AWS resource itself, but also it's content. So, when giving permissions, you need to give permissions to "the bucket" for listing it, and "the content" to download it

Which leads to a policy like this: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1499955913000",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::THE-EXACT-COMPLETE-FULL-NAME",
                "arn:aws:s3:::THE-EXACT-COMPLETE-FULL-NAME/*"
        }
    ]
}

Which, as I said, gives control over the bucket itself, with no asterisks, and whatever goes after the slash bar

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS IAM Policy required for AWS Chalice confusing error on aws iam: "Syntax error in policy" AWS CDK How to include principals in IAM policy? Set IAM Policy works on local machine but not in GCE instance Running a python script on AWS which is executable by a single IAM user only AWS boto3 User: arn:aws:iam::xxxx:root is not authorized to perform: lambda:AddLayerVersionPermission on resource AWS Python CDK - Account specific resource on policy creation Why is AWS denying permission when IAM is set to allow all? Function for adding parameters in IAM policy Assumed role python error is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxx
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM