2

I have the two accounts primary and secondary. In the primary account I have an S3 bucket let's say com.primary.buckets.1.

On that bucket my secondary account has read and write permissions via ACL.

When the secondary creates new keys let's say sub/sub2/sub3/name.txt, the primary account has listing (only) access, and cannot download, modify or even add a key sub/different_sub/new_key.txt (403 permissions error).

The funny thing is that the primary account does not have access to the contents of his own bucket!!!

That causes me a lot of frustration. Does anyone know how allow the primary account to access the data created by test account within the primary bucket?

ACL for the bucket located in the primary account:

{
    "Version": "2008-10-17",
    "Id": "PolicyXXXXXXXXXX",
    "Statement": [
        {
            "Sid": "PolicyXXXXXXXXXX",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<secondary account ID>:root"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::com.primary.buckets.1/*",
                "arn:aws:s3:::com.primary.buckets.1"
            ]
        }
    ]
}
Vame
  • 2,033
  • 2
  • 18
  • 29
  • Possible duplicate of [S3: User cannot access object in his own s3 bucket if created by another user](https://stackoverflow.com/questions/34055084/s3-user-cannot-access-object-in-his-own-s3-bucket-if-created-by-another-user) – ErikE Oct 11 '19 at 20:00

1 Answers1

0

I think you should set an ACL on the keys themselves, allowing access to all authenticated users. By default, objects allow access only to their owner (creator).

For PHP, I have linked below the documentation for creating an object (and setting an ACL): http://docs.aws.amazon.com/aws-sdk-php/latest/class-Aws.S3.S3Client.html#_putObject.

andreimarinescu
  • 3,541
  • 2
  • 25
  • 32