Access is denied even if IAM user is specified in S3 bucket policy

0
votes

I am now trying to use AWS S3.
I created an IAM user with no "Permissions policies".
And, the bucket policy of S3 is set as follows.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SpecificIAMPermission",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:user/iam-user"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucketname",
                "arn:aws:s3:::bucketname/*"
            ]
        }
    ]
}

However, this setting gives an access denied error.
Buckets and IAM users are in the same AWS account.
By the way, if I give full access permission of S3 in the policy setting of IAM, it works properly.

Is there a way to access with only S3 bucket policy without giving any "Permission Policy" to IAM users?
If you know anything, I'd be happy to let you know.

Thank you!

Additional description

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SpecificIAMPermission",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucketname",
                "arn:aws:s3:::bucketname/*"
            ]
        }
    ]
}

I can access the image data from the web browser by writing the code as above.
However, access will be denied if I execute PutObject processing in the server-side implementation.

I tried to give PutObjectACL permission to IAM user, but access was denied.
enter image description here

2
amazon-web-servicesamazon-s3
By the way, access is denied by PutObject processing. - 日高岳大
Are yo sure you are calling actions on this bucket only? Also does the user have any policies that could prevent the access? Boundary policies or any deny? - Marcin
I recreated the same scenario, and its working . "Buckets and IAM users are in the same AWS account" ?? can you give us more info ? - Oxi
@Marcin IAM User has no policy. - 日高岳大
Can you double check the bucket name you're using in your API interactions? - Chris Williams

2 Answers

2
votes

If you wish to grant Amazon S3 bucket access to a specific IAM User, it is better to attach an IAM Policy to the IAM User rather than creating a Bucket Policy.

Typically, a Bucket Policy is used to grant public access to a bucket. While it can grant access to a specific user, it can get messy if users are added this way.

Therefore, add an inline policy to the IAM user to grant access to the bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucketname",
                "arn:aws:s3:::bucketname/*"
            ]
        }
    ]
}

Note that this also gives the IAM User permission to delete objects from the bucket, and even permission to delete the bucket itself, so you probably want to give them less permissions (eg just GetObject, PutObject and ListBucket).

If this policy does not work for this specific bucket, it might be due to the way that objects were created in the bucket. I would recommend that you experiment by creating a new bucket and grant the IAM User permissions for the new bucket. If this works, then the policy is not the cause of the issue, but rather than way objects were created. (Let us know what you find and we can then assist further.)

1
votes

For object level and individual bucket level you will need to attach either an IAM policy to a principal or create a bucket policy that has the permissions for a specific principal (although to be clear if no bucket policy is set you will require the IAM permissions).

However, if you're trying to access the bucket from within the console you will not be able to perform the ListBuckets API action without a specific IAM policy.

In addition other users/roles in the same account as the S3 bucket will still be able to perform interactions on the S3 bucket if they have a relevant IAM policy attached unless you add a deny statement to the bucket policy.

Double check the principal is correct inn the bucket policy, and that the bucket name is correct in the API interaction.

When you receive the 403 you should be given a reason for denial (which should allow you find the permissions thats missing), be aware if you're adding an ACL at the same time you will need the PutObjectACL permission.

More information is available on the A user with permission to add objects to my Amazon S3 bucket is getting Access Denied errors. Why? page.