Home > Back-end >  Accessing S3 bucket from a dedicated user ( policy failure ? )
Accessing S3 bucket from a dedicated user ( policy failure ? )

Time:11-28

I'm trying to create an S3 bucket with a dedicated user for upload/download using terraform.

For some reason the user that is being created is unable to access the bucket:

$ aws iam list-attached-user-policies --user-name csgoserver
{
    "AttachedPolicies": [
        {
            "PolicyName": "AllowUsercsgoserverAccessTocsgofiles",
            "PolicyArn": "arn:aws:iam::370179080679:policy/AllowUsercsgoserverAccessTocsgofiles"
        }
    ]
}

$ aws s3 cp bucket.tf s3://csgofiles --profile test
upload failed: .\bucket.tf to s3://csgofiles/bucket.tf An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

$ aws iam get-user-policy --user-name csgoserver --policy-name AllowUsercsgoserverAccessTocsgofiles
An error occurred (NoSuchEntity) when calling the GetUserPolicy operation: The user policy with name AllowUsercsgoserverAccessTocsgofiles cannot be found.

user.tf:

resource "aws_iam_user" "s3user" {
  name = var.user_name
  force_destroy = true
}

data "aws_iam_policy_document" "default" {
  statement {
    sid       = "AllowUser${var.user_name}AccessTo${var.bucket_name}"
    actions   = ["s3:*"]
    resources = ["arn:aws:s3:::${var.bucket_name}"]
    effect    = "Allow"
  }
}

resource "aws_iam_user_policy" "s3user_policy" {
  name = aws_iam_user.s3user.name
  user = aws_iam_user.s3user.name

  policy = join("", data.aws_iam_policy_document.default.*.json)
}

resource "aws_iam_access_key" "s3user_ak" {
  user    = aws_iam_user.s3user.name
}

There is one more thing I do not understand. The aws iam get-policy doesn't work on that policy:

$ aws iam list-policies --max-items 2
{
    "Policies": [
        {
            "PolicyName": "AllowUsercsgoserverAccessTocsgofiles",
            "PolicyId": "ANPAVMMDEQHTRE4NG3N2E",
            "Arn": "arn:aws:iam::370179080679:policy/AllowUsercsgoserverAccessTocsgofiles",
            "Path": "/",
            "DefaultVersionId": "v1",
            "AttachmentCount": 1,
            "PermissionsBoundaryUsageCount": 0,
            "IsAttachable": true,
            "CreateDate": "2021-11-26T22:17:52 00:00",
            "UpdateDate": "2021-11-26T22:17:52 00:00"
        },
        {
            "PolicyName": "eks-full-access-policy",
            "PolicyId": "ANPAVMMDEQHTR4C65WFT6",
            "Arn": "arn:aws:iam::370179080679:policy/eks-full-access-policy",
            "Path": "/",
            "DefaultVersionId": "v1",
            "AttachmentCount": 0,
            "PermissionsBoundaryUsageCount": 0,
            "IsAttachable": true,
            "CreateDate": "2021-03-30T09:57:04 00:00",
            "UpdateDate": "2021-03-30T09:57:04 00:00"
        }
    ],
    "NextToken": "eyJNYXJrZXIiOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiAyfQ=="
}


$ aws iam get-policy --policy-arn arn:aws:iam::370179080679:policy/AllowUsercsgoserverAccessTocsgofile
An error occurred (NoSuchEntity) when calling the GetPolicy operation: Policy arn:aws:iam::370179080679:policy/AllowUsercsgoserverAccessTocsgofile was not found.

$ aws iam get-policy --policy-arn arn:aws:iam::370179080679:policy/eks-full-access-policy
{
    "Policy": {
        "PolicyName": "eks-full-access-policy",
        "PolicyId": "ANPAVMMDEQHTR4C65WFT6",
        "Arn": "arn:aws:iam::370179080679:policy/eks-full-access-policy",
        "Path": "/",
        "DefaultVersionId": "v1",
        "AttachmentCount": 0,
        "PermissionsBoundaryUsageCount": 0,
        "IsAttachable": true,
        "CreateDate": "2021-03-30T09:57:04 00:00",
        "UpdateDate": "2021-03-30T09:57:04 00:00"
    }
}

CodePudding user response:

I don't think your IAM policy is valid. You could use something similar to the below:

{
  "Id": "Policy1638106306386",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1638106302079",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::examplebucket",
      "Principal": {
        "AWS": [
          "370179080679"
        ]
      }
    }
  ]
}

I would also suggest putting the policy inline in your aws_iam_user_policy resource rather than using a data source. And looking at the documentation it does seem policy is a required field within the aws_iam_user_policy resource.

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy

Maybe like the below:

resource "aws_iam_user_policy" "s3user_policy" {
  name = aws_iam_user.s3user.name
  user = aws_iam_user.s3user.name

policy = jsonencode ({
    "Version": "2012-10-17",
    "Statement": [
    {
        "Sid": "Stmt1638106302079",
        "Action": "s3:*",
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::examplebucket/*",
    }
    ]
})

CodePudding user response:

I was missing two characters in the Resource key at the end /* ...

data "aws_iam_policy_document" "default" {
  statement {
    sid       = "AllowUser${var.user_name}AccessTo${var.bucket_name}"
    actions   = ["s3:*"]
    resources = ["arn:aws:s3:::${var.bucket_name}/*"]
    effect    = "Allow"
  }
}

Page link:https//www.codepudding.com/Backend/208264.html

Prev:What's the chronology for a race condition mentioned in [Concurrency in practice 7.2.5]
Next:Delete old versions of lambda functions uploaded through CloudFormation package command
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding