14

I have followed this blog in order to setup my AWS IAM and S3 accounts with Web Identity Federation. I am able to authenticate and receive session credentials and tokens all fine. I am also able to Download and Upload objects. However, I am getting:

access denied

on the following ListMultipartUploads request:

var request = new ListMultipartUploadsRequest()
{
    BucketName = bucketName,
    Prefix = $"{UserId}/"
};

var response = await s3Client.ListMultipartUploadsAsync(request);

The access policy attached to my IAM role is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::mybucket/${myidentityprovider:userId}/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": "${myidentityprovider:userId}/"
                }
            }
        }
    ]
}

As you can see, I have the permission "s3:ListBucketMultipartUploads", so the user should be able to perform ListMultiPartUploads on their buckets. What am I doing wrong?

marcusturewicz
  • 2,394
  • 2
  • 23
  • 38
  • Perhaps try the prefix without the ending slash? (Based on reading [Allow a user to get a list of objects in a bucket according to a specific prefix](http://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#condition-key-bucket-ops-2)) – John Rotenstein Jul 19 '17 at 10:59
  • I tried it without the prefix slash but still it still returns access denied. – marcusturewicz Jul 20 '17 at 01:00
  • 1
    Does it work correctly if you remove the prefix condition? – John Rotenstein Jul 20 '17 at 01:19
  • Yes it does, but obviously I want the user to only be able to list multipart uploads that they have done. – marcusturewicz Jul 20 '17 at 01:40
  • 3
    While I can successfully use `s3:ListBucket` with `s3:prefix`, all my experiments have failed when using `s3:ListBucketMultipartUploads` with `s3:prefix` -- and that's just by directly specifying the prefix rather than using `${myidentityprovider:userId}`. The documentation suggests that it should work, but I can't achieve it. – John Rotenstein Jul 20 '17 at 03:17
  • Hmmm. Could this be a bug? How can we move forward with this? – marcusturewicz Jul 20 '17 at 03:20
  • Somebody else might find a solution, otherwise you can raise a support case with AWS if you subscribe to Support. Otherwise, post it to their Forums but there's no guaranteed response there. – John Rotenstein Jul 20 '17 at 03:21
  • You've probably already checked, but is there a bucket policy or an ACL that may be getting in the way? – Aaron Medacco Jul 21 '17 at 09:55
  • There's no bucket policy and I can't see any ACL's that would be causing issues. The identity provider is set up under my developer AWS IAM account, as per the blog linked in the question. – marcusturewicz Jul 24 '17 at 05:06
  • Enable cloudtrail and see if that gives you any more details? I found that that helps point me in the right direction when debugging API calls. – strongjz Aug 03 '17 at 01:42
  • Ok, i'll give that a go and report back – marcusturewicz Aug 03 '17 at 01:45
  • Have you tried adding an asterisk on the end of your "StringLike" condition? Think of it like a SQL like where you have to add a '%' to match anything that starts with the prefix. I've seen lots of examples that show that pattern. See "Block 3" in this link: https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/ – Jed Aug 03 '17 at 15:08
  • Thanks for the idea. It produces the same result, unfortunately. – marcusturewicz Aug 04 '17 at 01:25
  • Cloud trail doesn't seem to be listing anything interesting, nothing regarding errors for list multi part etc – marcusturewicz Aug 04 '17 at 10:41
  • You might want to try the AWS policy simulator https://policysim.aws.amazon.com/home/index.jsp. It can be tricky to use, but has helped me enormously with problems such as this one. – ariels May 03 '21 at 07:06
  • I see that in your request the prefix is $"{UserId}/" while in your policy the prefix is "${myidentityprovider:userId}/" This might be the problem – Kamèl Romdhani Aug 23 '23 at 12:17

1 Answers1

0

I see an error in your prefix statement,

It needs to be an array,

"s3:prefix": ["${myidentityprovider:userId}/*"]

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:AbortMultipartUpload",
            "s3:DeleteObject",
            "s3:GetObject",
            "s3:PutObject"
        ],
        "Resource": "arn:aws:s3:::mybucket/${myidentityprovider:userId}/*"
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:ListBucket",
            "s3:ListBucketMultipartUploads"
        ],
        "Resource": [
            "arn:aws:s3:::mybucket"
        ],
        "Condition": {
            "StringLike": {
                "s3:prefix": ["${myidentityprovider:userId}/*"]
            }
        }
    }
]}
Kannaiyan
  • 12,554
  • 3
  • 44
  • 83