I have a very basic goal: to share all content of my bucket to a list of specific users, read only. This used to work with a tool called s3cmd. All I need to do was to add a user (identified by email) to the Access Control List with Read Permission
, and they could list or download data smoothly.
But recently, this suddenly did not work anymore. The system just denies any attempt to access my bucket.
I then started thinking of editing the bucket policy. Here is the draft of my policy, generated by the Policy Generator (sensitive information is anonymized):
{
"Id": "Policy123456789",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1512705836469",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:ListObjects"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::mybucketname",
"Principal": {
"AWS": [
"arn:aws:iam::anotheruserid:user/admin"
]
}
}
]
}
When I click save
, I get a "Policy has invalid action" error. I then tried to remove "ListObjects" so the policy becomes
{
"Id": "Policy123456789",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1512705836469",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::mybucketname",
"Principal": {
"AWS": [
"arn:aws:iam::anotheruserid:user/admin"
]
}
}
]
}
and got another error message "Action does not apply to any resource(s) in statement".
These two errors do not make sense to me. Please correct me if I am wrong. If I am not in the right direction, please help me.
BTW: I tried to follow the tutorial at http://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example2.html but wasn't successful. By using the following bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB-ID:root"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::examplebucket"
]
}
]
}
I got an error message when using awscli of AccountB to execute "aws s3 ls s3://examplebucket".
The error message was "An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied".
This confuses me. If I add ListObjects, I got an "invalid" error
.
If I remove the "ListObjects", another user could not read my bucket content.
What should I do?