Granting Amazon S3 permission by bucket

Quick Note

I was setting up an AWS S3 bucket and would like to share the access to my colleague.

It's quite effortless but somehow I needed to go over the docs for serval times and set up some extra stuffs.

This serves as a note for myself and anyone who needs.

For settings in detail, you can read the docs about how to manage access to your Amazon S3 Resources

Problem

I want to share bucket-a and bucket-b to my colleague Boris.

Solution

Create IAM Policy in the console

Then visit the AWS IAM console

In the policy tab, you will see many default policy (you can filter out by "S3", however there are no rules that based on buckets). So, let us create a new policy.

Select Policy Generator , it helps us to generate the policy document as specified.

Policy for the buckets

AWS Policy Generator is a handy tool to get the IAM policy document generated.

Since we are working with S3, we need to know the Amazon Resource Names (ARNs) of our buckets.

<!-- Object in an Amazon S3 bucket -->
arn:aws:s3:::bucket_name/exampleobject.png

so in my case, I need to specify:

arn:aws:s3:::bucket-a
arn:aws:s3:::bucket-a/*
arn:aws:s3:::bucket-b
arn:aws:s3:::bucket-b/*

The policy generated as following:

{
  "Id": "Policy1487658810754",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1487658775540",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::bucket-a",
        "arn:aws:s3:::bucket-a/*",
        "arn:aws:s3:::bucket-b",
        "arn:aws:s3:::bucket-b/*"
      ],
      "Principal": "*"
    }
  ]
}

For example, we give it the name AmazonS3BucketABucketBAccess. You can now see the policy on the list of policies in the IAM Console.

Grant a user the permission

Now, go to the Users tab in the IAM console.
Search for the user nad edit his/her permission.

If the user does not exist yet, create a user first by clicking the Add User button. I advice to select the Access Type as "Programmatic access", so it doesn't generate a set of usernams / password for the user to login to the console.

Now, we can add the above created permissions to the user.
Among "Add user to group", "Copy permissions from existing user" and "Attach existing policies directly", we will choose "Attach existing policies directly" this time.

You will see the policy AmazonS3BucketABucketBAccess we created just now in the list.

Just select the policy and attach it to the user.

Alternatively, you can create a Group

... then add the user into the group. Users in the group will be granted the same level of permission as the group specified.

To access the bucket

You will need API Key ID and API Secret to access to the bucket.
The above info can be found in the IAM Console > Users > Select the User > Security credentials > Access keys.

We need to create a pair of Access key ID and secret for the user to get the right access.

Once it's ready, you will see the status of the Access Keys.

Extra

If you need to grant the user console access, make sure you also grant him/her the list all bucket permission.

Ref: StackOverflow: Amazon S3 IAM User can' access S3 bucket

    {
        "Sid": "ListAllBuckets",
        "Action": "s3:ListAllMyBuckets",
        "Effect": "Allow",
        "Resource": "*"
    }

Hope it helps ;)

comments powered by Disqus