All geek questions in one place

Create an IAM policy for Amazon S3

I am trying to implement an IAM policy in which a user can only access the folder to which he is entitled. I got this code from Amazon docs

Allow user to list only objects in their home directory in the corporate bucket

This example is based on the previous example, which Bob gives the home directory. To give Bob the ability to list objects in his home directory, he needs access to ListBucket. However, we want the results to include only objects in his home directory, and not everything in the bucket. To limit its access in this way, we use a policy condition key named s3: a prefix with the value set to home / bob /. This means that in the ListBucket response only objects with the prefix home / bob / will be returned.

{ "Statement":[{ "Effect":"Allow", "Action":"s3:ListBucket", "Resource":"arn:aws:s3:::my_corporate_bucket", "Condition":{ "StringLike":{ "s3:prefix":"home/bob/*" } }] }

This does not work for me. When I run my code, I can see all the folders and subfolders. The modified code looks something like this:

 { "Statement":[{ "Effect":"Allow", "Action":"s3:ListBucket", "Resource":"arn:aws:s3:::Test-test", "Condition":{ "StringLike":{ "s3:prefix":"Test/*" } }] }

When I run my code in C # using the credentials of the user attached to the above policy, I get all the folders, not just the ones in the Test section ... It would be very helpful to help!

+4
source share
2 answers

Finally, I started to work. Although I think there is a bug in the AWS management console, or at least it seems like that. The problem is that my policy was right all the way, but it behaved differently when I accessed it through the AWS management console and then software tools like CloudBErry. One thing I had to change was the ACL settings for objects and buckets. This would also have been done earlier if the AWS console worked correctly. Anyway, this is my policy:

 { "Statement": [ { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws:s3:::*", "Condition": {} }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListBucketVersions" ], "Resource": "arn:aws:s3:::pa-test", "Condition": { "StringLike": { "s3:prefix": "test/*" } } }, { "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::pa-test/test/*", "Condition": {} } ] }

1) The problem is that I am accessing the management console for this IAM user through the AWS console. I get access when I click on my bucket, although when I log in through Cloudberry, I can see my folders. 2) I had to change the ACL settings for my bucket and objects (folders) for my bucket: Owner: Full control Authenticated users: Readonly

For my folders: Owner: Full control

Now the problem is that you cannot set ACl parameters for folders (objects) in the AWS console. You can set them for files (objects). For example, if you right-click on a folder (object) inside a bucket and then click on properties, it will not show you permission tabs. But if you right-click on a bucket or file (say test.html) and click on properties, it will show you the Permissions tab. I'm not sure anyone else noticed this problem. In any case, this is my script and it works now.

+7
source

The result you expect from listBucket will not be like that. Because the policy allows you to allow access and deny objects according to the bucket policy. ListBucket will list all objects, but you will only have access to the prefix folder and its contents.

If you want to list only the folder, then you need to code for this how to read the IAM policy, and then get the prefix string, and then list with this prefix, then you will only get the desired folder. because so far this option has not been provided by amazon s3.

+2
source

Source: https://habr.com/ru/post/1411692/

More articles:


All Articles