0

I am trying to give a programmatic IAM user access to a single bucket.

I setup the following policy and attached it to the user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket/*"
            ]
        }
    ]
}

Trying to programatically upload a file I got a 403.

I got this policy from here:

Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket

I verified that everything else is working by then adding an AWS managed policy, AmazonS3FullAccess, after which my upload succeeded. But I would rather not give this user full access.

There are no other policies attached to this user.

Mark Fraser
  • 3,160
  • 2
  • 29
  • 48
  • 1
    How are you performing the upload? CLI command? Or can you show us the code that generates the error? The code might be calling another API. Can the same user download a file? – John Rotenstein Apr 15 '18 at 04:15
  • I am performing it using a Ruby gem dragonfly-s3_data_store from the rails console. The code is `Dragonfly.app.store('local/path/to/file'). The same code works fine when the S3 all access policy is in effect. – Mark Fraser Apr 15 '18 at 23:48
  • Try set debug mode. The code could be trying to use other methods like `GetBucketLocation` or `ListBucket`. The debug mode will probably show you the complete forbidden response from AWS. Try it also with `awscli`: `aws s3 cp /local/path/to/file s3://my-bucket/file-name` – Jonathan Beber Apr 16 '18 at 00:09

2 Answers2

1

Nothing is wrong with your policy. Make sure you're using the right bucket name in the IAM policy and to add the policy to the user.

You can test it with IAM Policy Simulator. Maybe you should consider the time to policies take effect, but it's "almost immediately". See this answer.

Jonathan Beber
  • 537
  • 1
  • 4
  • 16
  • The simulator says "allowed" for all permissions I entered (PutObject, ListBucket, GetObject and DeleteObject). The time is not an issue as I tried it again today after setting it up yesterday. – Mark Fraser Apr 16 '18 at 00:02
0

You can try this policy to give full access to a particular bucket:

{
    "Version": "2012-10-17",
    "Statement": [{
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<BUCKETNAME>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        }
    ]
}

Since you are providing Put, Get, Delete, You might as well provide full access to the particular bucket.

Varun Chandak
  • 943
  • 1
  • 8
  • 25
  • This was close enough to get me there. I had to add "arn:aws:s3:::" to the first Resource array (the editor gave me a warning on the original which led me to this). Doesn't this policy allow the user to list all buckets, even if only allowing modification of one? For me this isn't a big problem but it might be in the future. – Mark Fraser Apr 17 '18 at 16:54
  • it's just list buckets, not the objects inside it. – Varun Chandak Apr 17 '18 at 17:20
  • I realize that. But why should I have to give a user with access to only one known bucket this information (the list of buckets)? – Mark Fraser Apr 17 '18 at 18:04
  • 1
    AFAIK, this is used for console purposes. For example, if you click on S3, it will show a list of buckets, from where he can go to the designated bucket. If this permission is revoked, then it will show access denied. But if the user directly enters the bucket name in the address bar and hit enter, then he should enter directly in the bucket with the `ListAllBuckets` access revoked. – Varun Chandak Apr 18 '18 at 04:36