AWS IAM bucket permissions access denied

0
votes

Has anyone encountered the situation when I use manage policies on a user, It works but when I use inline policy it says access denied. I am giving Read access to a bucket for IAM user that is it can only access that bucket.

Manage Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": "*"
        }
    ]
}

Inline Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": "arn:aws:s3:::mybucketname/*"
        }
    ]
}

I also tried this

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "S3Permissions",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::mybucketname/*",
        "arn:aws:s3:::mybucketname"
      ]
    }
  ]
}
1
amazon-web-servicesamazon-s3
What does it mean "it does not work"? Its not very specific. Any errors? - Marcin
The problem I get is Access denied - Francis
Access deny where? For using AWS Console more permissions are required. For programmatic access your last policy should be fine. - Marcin
Access denied in the dashboard for the IAM user in the dashboard. The user can access all buckets with the "manage policy Amazons3ReadonlyAccess" but when I remove it and attach inline policy with same policy or different policy, the user is denied access to the all buckets or the specified folder - Francis

1 Answers

2
votes

Your last policy should be fine for direct access to the bucket as explained in:

For console access, additional permissions are required, as shown in:

Specifically the policy should like like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListAllMyBuckets"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::test"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": ["arn:aws:s3:::test/*"]
    }
  ]
}

Amazons3ReadonlyAccess has all the above permissions, your inline policy does not.