What is Wrong With My AWS Policy?

0
votes

I am trying to give a programmatic IAM user access to a single bucket.

I setup the following policy and attached it to the user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket/*"
            ]
        }
    ]
}

Trying to programatically upload a file I got a 403.

I got this policy from here:

Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket

I verified that everything else is working by then adding an AWS managed policy, AmazonS3FullAccess, after which my upload succeeded. But I would rather not give this user full access.

There are no other policies attached to this user.

2
amazon-web-servicesamazon-s3amazon-iam
How are you performing the upload? CLI command? Or can you show us the code that generates the error? The code might be calling another API. Can the same user download a file?John Rotenstein
I am performing it using a Ruby gem dragonfly-s3_data_store from the rails console. The code is `Dragonfly.app.store('local/path/to/file'). The same code works fine when the S3 all access policy is in effect.Mark Fraser
Try set debug mode. The code could be trying to use other methods like GetBucketLocation or ListBucket. The debug mode will probably show you the complete forbidden response from AWS. Try it also with awscli: aws s3 cp /local/path/to/file s3://my-bucket/file-nameJonathan Beber

2 Answers

0
votes

You can try this policy to give full access to a particular bucket:

{
    "Version": "2012-10-17",
    "Statement": [{
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<BUCKETNAME>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        }
    ]
}

Since you are providing Put, Get, Delete, You might as well provide full access to the particular bucket.

1
votes

Nothing is wrong with your policy. Make sure you're using the right bucket name in the IAM policy and to add the policy to the user.

You can test it with IAM Policy Simulator. Maybe you should consider the time to policies take effect, but it's "almost immediately". See this answer.