I am trying to configure an Amazon IAM user with a policy that allows them to only perform uploads to a specific folder of an s3 bucket.
I can successfully upload images when the policy is written like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Put*"
],
"Resource": "*"
}
]
}
My upload function (in coffeescript with browser side javascript aws-sdk):
s3.putObject data, (err, data) =>
if err
console.log err
console.log 'Error uploading data: ', data
else
console.log 'succesfully uploaded the image!'
However I would like to scope the permissions to only allow putObject, and only in a specific directory. I thought this policy would work, but it throws a 403 error:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my_bucket/example_directory"
}
]
}
Is there a syntax error in my policy, or am I doing something else incorrectly? I am still new to writing IAM policies.
Update
I've made some progress by getting the following code to work in the IAM simulator, but unfortunately it still throws a 403 error when I try to actually upload despite saying that putObject should be allowed.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject*"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"s3:PutObjectAcl*",
"s3:PutObjectVersionAcl*"
],
"Resource": "*"
}
]
}
"Principal": "*",(or the IAM account that you want to restrict) in your policy and retry – Frederic Henri