I need to upload files to Amazon S3 bucket from my MVC .NET Core C# application. How can I organize this process so that different users of my app can't get access to each other files?
I guess they all should share one bucket, I can't create bucket for each user? But what should I specify in order each user of my application could download/list only his/her own files?
Why do you need to create a single bucket? As for my understanding is perfectly fine to create one by user.
Anyway,if you really need a single bucket you can use folder-level permissions through the IAM
policies.
Here is how it will look a policy for one user:
The bucket name is mycompany
The user is David
The folder for each user is /home/name
The policy is allowing first to list the buckets, then is allowing listing folder /home
and /home/name
. And finally, all actions are allowed inside the folder /home/name
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-company"],
"Condition":{"StringEquals":{"s3:prefix":["","home/", "home/David"],"s3:delimiter":["/"]}}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-company"],
"Condition":{"StringLike":{"s3:prefix":["home/David/*"]}}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::my-company/home/David/*"]
}
]
}
You can find a good step-by-step explanation and how to here
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.