0

I have a simple IAM role with a policy to list a specific bucket and allow get operations on all its contents. The role is assumed by another account. When the account assume the role, no buckets are shown. Here is the policy. What is wrong?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::foobar"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::foobar/*"
        }
    ]
}
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
AfterWorkGuinness
  • 1,780
  • 4
  • 28
  • 47
  • What do you mean by "no buckets are shown"? The `s3:ListBucket` permission allows you to list the objects in a bucket. You would need `s3:ListAllMyBuckets` on resource `arn:aws:s3:::*` to list buckets. – jarmod Mar 09 '23 at 16:35
  • Check with the region of the role being assumed. The buckets are visible in that specific region only. – Roxy Mar 09 '23 at 16:36
  • @jarmod my goal is for account B user to be able to see only the foobar bucket belonging to account a and no other buckets from account a. When the user assumes this role and goes to s3 it shows "No Buckets". – AfterWorkGuinness Mar 09 '23 at 16:44
  • None of the granted permissions allow them to list buckets, as mentioned above. – jarmod Mar 09 '23 at 16:45
  • @jarmod There are two accounts at play A (which owns the bucket) and B. Account A has an IAM role that is assumed by a user in Account B. If I try a more wide open policy (in Account A) that grants all "List" permissions on any bucket, Account B is able to see all the buckets when it assumes the role. – AfterWorkGuinness Mar 09 '23 at 16:49
  • @jarmod for Account B's user to see only bucket foobar, what should the policy look like? – AfterWorkGuinness Mar 09 '23 at 16:51
  • 1
    You can't do this afaik. You can only allow `s3:ListAllMyBuckets`, which makes all buckets listable. You can't list or access their objects, however, unless you have additional bucket-level and object-level permissions. Related [question](https://stackoverflow.com/questions/6615168/is-there-an-s3-policy-for-limiting-access-to-only-see-access-one-bucket). – jarmod Mar 09 '23 at 16:54
  • Thanks, that post looks like what I need. Closing. – AfterWorkGuinness Mar 09 '23 at 17:29

0 Answers0