Browsing/Downloading S3 with BOTO and IAM

2
votes

Following AWS IAM examples, I have the conf as below. But this results in an "Access denied" when I use the credentials of the user with this IAM policy attached.

Removing the Stringlike condition works fine.

{
  "Statement": [
    {
  "Action": [
    "s3:ListBucket"
  ],
  "Effect": "Allow",
  "Resource": [
    "arn:aws:s3:::BUCKET"
  ],
  "Condition": {
    "StringLike": {
      "s3:prefix": "STRING/*"
    }
  }
}
]}


conn = S3Connection( key, secret );
buck = conn.get_bucket( BUCKET ); 
for key in buck.list( prefix = STRING ):
  print key.name

Also, in order to get an object from a bucket "subfolder",

... "Action":"s3:GetObject" ... "Resource":"arn:aws:s3:::BUCKET/STRING/*" ...

only this restricted getObject permission is not enough (denied again), whereas it works if I add the ListBucket policy to the whole bucket. Do AWS work as in *nix when you need the READ(list) bit set on a directory in order to ACCESS(read) a 777 file contained in the same directory?

Can you please help? I am not sure about my understanding of IAM policies. Thanks

1
amazon-s3botoamazon-iam

1 Answers

3
votes

Fixed removing get_bucket(), which probably requires more permissions (ListAllMyBuckets?)

conn = S3Connection( key, secret );
mBucket = Bucket( conn, bucket );
for key in mBucket.list( prefix = prefix ):
  print key.name
return