{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 倾城 Initia 的问题《I need an Amazon S3 user with full access to a sin》','https://www.manongdao.com/q-146614.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a user foo with the following privileges (it's not a member of any group):
{
"Statement": [
{
"Sid": "Stmt1308813201865",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bar"
}
]
}
That user however seem unable to upload or do much of anything until I grant full access to authenticated users (which might apply to anyone). This still doesn't let the user change permission as boto is throwing an error after an upload when it tries to do do key.set_acl('public-read').
Ideally this user would have full access to the bar bucket and nothing else, what am I doing wrong?
@cloudberryman's answer is correct but I like to make things as short as possible. This answer can be reduced to:
Are you aware of the AWS Policy Generator?
You need to grant s3:ListBucket permission to the bucket itself. Try the policy below.
The selected answer didn't work for me, but this one did:
Credit: http://mikeferrier.com/2011/10/27/granting-access-to-a-single-s3-bucket-using-amazon-iam/
If you've been pulling your hair out because you cannot figure out why Cyberduck is not being able to set object ACLs but it works with another client (like Panic Transmit) here is the solution:
You need to add
s3:GetBucketAclto your Action list, eg:Of course you don't need to do this if you are less restrictive with
s3:*but I think this is good to know.There is an official AWS documentation at Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket
Just copy and paste the appropriate rule and change the "Resource" key to your bucket's ARN in all Statements.
For programamtic access the policy should be:
And for console access access should be: