stackoom
  简体   繁体   中英

Not sure why this aws s3 bucket policy isn't working?

 原文  2017-07-24 12:48:39       amazon-web-services/ amazon-s3/ amazon-iam

Question

I have created a user called user1 and a role called s3limitedaccess and attached this bucket policy below. Created an access and secret key for this user, but cannot get this user to see this bucket or do anything with it. Please can someone advise. Thanks

Code: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1499888918000",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::rscexternal/*"
            ]
        }
    ]
}

1 answers

solution1
 0 ACCPTED  2017-07-25 04:12:16

If you wish to assign permissions to a specific IAM User, IAM Group or IAM Role, you should assign the permissions directly against that User/Group/Role within IAM rather than creating a Bucket Policy . (This might be what you did, but you mentioned "bucket policy" so it is unclear.)

Some Amazon S3 API calls operate at the bucket-level (eg listing the bucket) and some operate at the object-level (eg GetObject). Therefore, you would need a policy that grants access to both: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GrantFullAccess",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::rscexternal",
                "arn:aws:s3:::rscexternal/*"
            ]
        }
    ]
}

The IAM User with the above policy should then be able to access the bucket . For example, using the AWS Command-Line Interface (CLI) : 

aws s3 ls s3://rscexternal

If you wish the user to be able to use Amazon S3 via the management console , additional permissions are required.

From Policy for Console Access : 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListAllMyBuckets"
      ],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::test"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": ["arn:aws:s3:::test/*"]
    }
  ]
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question aws s3 Bucket policy not working as expected Why Doesn't My AWS S3 Bucket Policy Override My IAM Policy? aws s3 bucket policy AWS S3 bucket policy Role isn't evaluated but S3 bucket policy is Amazon S3 Bucket Policy Isn't Saved AWS S3 Bucket Policy not working on mobile browsers why doesn't aws:userid work as per the s3 bucket policy example? AWS CDK : Why S3 bucket policy occurs error AWS S3: can't list the bucket after change of policy
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM