I am struggling to get a AWS S3 IAM user policy to work, this is my current IAM user's policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1424859689000",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::vault-us/*"
]
}
]
}
When I do a post to create a new object in my S3 bucket I get a 403 Forbidden error but when I use the Managed Policy called 'AmazonS3FullAccess' then everything works just fine.
What I am trying to do is restrict certain IAM users to upload/downloads rights but am struggling to get this working.
Any suggestions would be appreciated!
I managed to figure out that in order for upload to work I needed to include the action "s3:PutObjectAcl" here is the example of my IAM policy below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::vault-us"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::vault-us/*"
]
}
]
}
First thing you can do is figure out if its the actions that's wrong or the resource scope, can you these two policies one at a time:
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::vault-us/*"
]
and
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"*"
]
If the first one works and the second fails, you don't have enough permissions to do your operation, e.g. try adding listBucket or similar (I tend to add all likely ones and gradually remove them until it breaks).
If the first one breaks and the second one works then your resource declaration is wrong, the most common fix I've found is to try adding:
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::vault-us/*",
"arn:aws:s3:::vault-us"
]
If the both fail then chances are both your action and your resource is wrong.
Good Luck