AWS S3 Bucket Policy - public and principal specific permissions

0
votes

How do i specify a policy that accomplishes

  • public allow permission on s3:getObject

  • specific principal allow permission on s3:*

My use case is I want to provide public read access to bucket resources (as long as requestor knows exact key) but want to provide full admin access for a specific iam role.

I tried this

{
    "Version": "2012-10-17",
    "Id": "Policy1527265803757",
    "Statement": [
        {
            "Sid": "Stmt1527265797507",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::99999999999:role/my-role"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::my-bucket"
        },
        {
            "Sid": "Stmt1527700198181",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*"
        },        
    ]
}

but the it seems to reduce the role to only having getObject permission.

1
amazon-web-servicesamazon-s3amazon-iam
it seems, it is correct - omurbek

1 Answers

0
votes

I tried your policy and for the my-role, I was able to run putobject....while for others I could only run getobject. What makes you believe that my-role does not have admin access?