0

I have a bucket myapp that I want to restrict a newly created IAM user (that has no group policy) to.

But I am not sure how to do that.

I have tried this:

{
    "Statement": [
        {
            "Effect":"Allow",
            "Action": [ 
                "s3:ListBucket"
            ],
            "Resource":"arn:aws:s3:::myapp/*"
        }
    ]
}

Yet when I login to the IAM console with that user, I see:

iam-totally-restricted

How do I achieve this?

Edit 1

This is the policy I am using for my user now:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::myapp"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::myapp/*"
            ]
        }
    ]
}

However, when I upload an image, I get this error:

Excon::Errors::Forbidden at /jobs
Expected(200) <=> Actual(403 Forbidden)
excon.error.response
  :body          => "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>0FF1D4848595DCFB</RequestId><HostId>+RrQvNFwV2hAcYPK3ZJJYzy5uiA7Aag0oc1Gpp3hENJ9lzJz453j8qJeLbdQ8jN4cc3ViRJ1lEg=</HostId></Error>"
  :cookies       => [
  ]
  :headers       => {
    "Connection"       => "close"
    "Content-Type"     => "application/xml"
    "Date"             => "Sat, 25 Jun 2016 18:54:24 GMT"
    "Server"           => "AmazonS3"
    "x-amz-id-2"       => "+R3ViRJ1lEg="
    "x-amz-request-id" => "0FF1DCFB"
  }
  :host          => "s3.amazonaws.com"
  :local_address => "192.168.1.102"
  :local_port    => 23456
  :path          => "/logos/company/logo/48/amped-logo.png"
  :port          => 443
  :reason_phrase => "Forbidden"
  :remote_ip     => "xx.xx.xxx.xxx"
  :status        => 403
  :status_line   => "HTTP/1.1 403 Forbidden\r\n"

Here are my CORS rules:

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>http://localhost:3000</AllowedOrigin>
        <AllowedMethod>HEAD</AllowedMethod>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>DELETE</AllowedMethod>
        <ExposeHeader>ETag</ExposeHeader>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

Edit 2

I finally got this solved, as you can see here: AWS S3 403 Forbidden Error on newly created IAM inline policy for a new IAM user

Community
  • 1
  • 1
marcamillion
  • 32,933
  • 55
  • 189
  • 380
  • Possible duplicate of [I need an Amazon S3 user with full access to a single bucket](http://stackoverflow.com/questions/8203598/i-need-an-amazon-s3-user-with-full-access-to-a-single-bucket) – Mark B Jun 25 '16 at 17:34

1 Answers1

1

You will need add getbucketlocation and listAllbuckets permission to allow user console access. 

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListAllMyBuckets"
      ],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::myapp/*"
    }
  ]
}
Shibashis
  • 8,023
  • 3
  • 27
  • 38
  • Perfect. So I guess I can't restrict the listing of all the buckets? Ideally, I would love for it to just show the 1 bucket that I want them to see. But is that not possible? – marcamillion Jun 25 '16 at 17:02
  • 1
    There is no way around it. For access through console this is needed. – Shibashis Jun 25 '16 at 17:16
  • Oh ok. Thanks much. – marcamillion Jun 25 '16 at 17:23
  • When I tried to actually browse into the `myapp` bucket, it gives me a 'Sorry, you don't have permission to view this bucket' message. What could be causing that? – marcamillion Jun 25 '16 at 17:25
  • Change the ListBucket resource from this: `"Resource": "arn:aws:s3:::myapp/*"` which is invalidly trying to give ListBucket access for objects inside a bucket, to this `"Resource": "arn:aws:s3:::myapp"` which gives ListBucket access for the bucket in question. – Mark B Jun 25 '16 at 17:30
  • Also AWS has documented this: http://blogs.aws.amazon.com/security/post/Tx3VRSWZ6B3SHAV/Writing-IAM-Policies-How-to-grant-access-to-an-Amazon-S3-bucket – Mark B Jun 25 '16 at 17:31
  • I used that exact policy (the 2nd one) from the AWS blog post that @MarkB linked to. When I am in the console, I can see the folders and I can browse to where I expect to be able to browse to. But when I try to upload a file to one of my folders, I get this error: `Excon::Errors::Forbidden - Expected(200) <=> Actual(403 Forbidden) excon.error.response`. I suspect it is the policy, but I am not completely sure. What could be causing this? – marcamillion Jun 25 '16 at 18:31
  • 1
    upload needs putobject permission. – Shibashis Jun 25 '16 at 18:38
  • I do have `PutObject` permission. But the issue is when I go to view the URL for the image, I also see that 403 error message. – marcamillion Jun 25 '16 at 18:41
  • what is the curr permission? – Shibashis Jun 25 '16 at 18:42
  • @Shibashis I have updated my question with more details about the current IAM policy, the CORS rules and the error message. Does that address your question? Not sure I understand it otherwise. – marcamillion Jun 26 '16 at 03:43
  • Nevermind. I figured it out as can be seen here: http://stackoverflow.com/questions/38035583/aws-s3-403-forbidden-error-on-newly-created-iam-inline-policy-for-a-new-iam-user/38035627#38035627 – marcamillion Jun 26 '16 at 06:47