What role permissions are required to use get_contents_to_filename?

Question

I recently setup an IAM role for accessing a bucket with the following policy:

{
  "Statement": [
    {
      "Sid": "Stmt1359923112752",
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::<BUCKET_NAME>"
      ]
    }
  ]
}

While I can list the contents of the bucket fine, when I call get_contents_to_filename on a particular key, I receive a boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden exception.

Is there a role permission that I need to add to fetch keys from S3? I have checked the permissions on the individual key, and there appears to be nothing that explicitly forbids access to other users; there is only a single permission that grants the owner full permissions.

For completeness, I verified that removing the role policy above prevents access to the bucket completely thus it's not an issue with the policy being applied.

Thanks!

score 2 · Accepted Answer · answered Feb 03 '13 at 20:51

You have to give permission to the objects in the bucket, not just to the bucket. So your resource would have to be arn:aws:s3:::<bucketname>/*. That matches every object.

Unfortunately, that doesn't match the bucket itself. So you either need to give bucket related permissions to arn:aws:s3:::<bucketname> and object permissions to arn:aws:s3:::<bucketname>/*, or just give permissions to arn:aws:s3:::<bucketname>*. Though in that latter case, giving permissions to a bucket named fred would also give the same permissions to one named freddy.

Thanks! I just saw this related question about the same time: http://stackoverflow.com/questions/8203598/i-need-an-amazon-s3-user-with-full-access-to-a-single-bucket — bboe, Feb 03 '13 at 20:57

What role permissions are required to use get_contents_to_filename?

1 Answers1