AWS IAM Policy Issues writing to s3 bucket for Grafana alerts

Question

Having some issues with AWS permissions and policies for grafana to be able to upload images. First off I tried with a custom policy attached to my user based on the requirements here https://grafana.com/docs/installation/configuration/#access-key .

Here's the policy:

custom policy with locked down permissions and bucket name
{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:PutObjectAcl"
        ],
        "Resource": "arn:aws:s3:::myclient-grafana-images"
    }
]
}

This unfortunately didn't work and can see an access denied error in my grafana logs. The user is trying to write an image to the bucket and ended up adding the AWS predefined policy for s3 full access. This managed to get it working

s3 full access policy
{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": "*"
    }
]
}

The question is trying to lock the policy down just to the bucket that I need. I've tried creating a new policy with the full access policy and updated the wildcard to reference the s3 arn but that didn't work either.

Any suggestions on the best way to lock down the policies.

Answer 1

The PutObject and PutObjectAcl actions work on objects, not buckets.

This means that your Resource key should represent objects . ARN for objects start with the bucket name but are followed by a / and a path.

You should adapt your policy in the following way if you want to be able to put any object in your bucket (note the /* ):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": "arn:aws:s3:::myclient-grafana-images/*"
    }
  ]
}