2

I have created bucket poc-work from admin account, and under this policy I have set policy like below:

{
    "Version": "2012-10-17",
    "Id": "Policy1620674317608",
    "Statement": [
        {
            "Sid": "Stmt1321974214233",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::accound-id:user/iam-user"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::poc-work",
                "arn:aws:s3:::poc-work/*"
            ]
        }
    ]
}

I have not attached any aws managed policy like s3readonly to IAM user , but I am under assumption that setting bucket policy should make bucket visible to IAM user . But when IAM user log in and check for s3 service there is error message: You don't have permissions to list buckets

I have below queries:

  1. can't I create bucket policy that enables list s3 buckets ?
  2. Is it necessary to attach policy already defined browsing on IAM console and then rest of operations control with bucket policy ?
user3185460
  • 57
  • 9
  • Can you try running `aws s3 ls poc-work` using CLI? It seems the bucket policy allows you to see the bucket, but not to list all the buckets in your account – Michał Urbaniak May 14 '21 at 15:28
  • To give specific IAM users access to S3 resources, you would typically add S3 permissions to an IAM policy and attach that policy to the IAM user, rather than configuring the IAM user to have permission via an S3 bucket policy. – jarmod May 17 '21 at 16:52

1 Answers1

0

You are giving the user permission for one bucket, but if the user is going through the console the user needs the ListAllBuckets permission to see all the buckets that exist in the account. So you do need to add permissions to the IAM user as well--not just the one bucket.

Also see:

The 1st link says:

ListAllMyBuckets is required for seeing the list of buckets via the AWS console. It is a MUST if you plan to use the console for S3 administration. If you don't have this permission you basically won't see any of the buckets in the S3 console despite whatever other permissions you have configured and therefore can't take any action upon them.

Shawn
  • 8,374
  • 5
  • 37
  • 60
  • 1
    This is correct, with the additional clarification that `s3:ListAllMyBuckets` needs to apply to the 'root' resource (`"arn:aws:s3:::*"`). It's no good adding that permission to the bucket policy. – Daniel Scott May 14 '21 at 15:45