Login/Register
AWS S3 Trying to understand permission given to a Policy
Asked Answered
Solved amazon-s3amazon-policy
G

1

0

I'm trying to create a policy to be used by an application deployed in a ECS, to getObject/Put/Delete some files inside the bucket. The policy i'm creating looks like this:

{
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": [
            "s3:ListBucket",
            "s3:DeleteObject",
            "s3:PutObjectAcl",
            "s3:ListBucket",
            "s3:ListMultipartUploadParts",
            "s3:PutObject",
            "s3:GetObject",
            "s3:ListBucketVersions",
            "s3:ListBucketMultipartUploads"
        ],
        "Resource": [
            "arn:aws:s3:::name-of-bucket",
        ]

But i still get Access Denied errors when trying to upload a file to the bucket, i've seen some AWS examples where people defined the resource in the policy as:

"arn:aws:s3:::name-of-bucket/*",

Please notice the /* .

So my question is when should i use /* and when should i not use it (for which permission should i use it).

Gristle answered 25/7, 2018 at 21:30 Comment(0)
D
4

You have to do both, meaning you need permissions for buckets, the bucket itself and objects in the bucket. Each layer can be controlled.

In the following policy notice that there are three sections. The first section provides permission to list the buckets in your account. The next section provides permissions to list the contents of a bucket and get a bucket's location property. The third section controls what you can do inside a bucket.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListAllMyBuckets"
         ],
         "Resource":"arn:aws:s3:::*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket",
            "s3:GetBucketLocation"
         ],
         "Resource":"arn:aws:s3:::examplebucket"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:GetObject",
            "s3:GetObjectAcl",
            "s3:DeleteObject"
         ],
         "Resource":"arn:aws:s3:::examplebucket/*"
      }
   ]
}
Dependency answered 25/7, 2018 at 22:18 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.