Home > Enterprise >  Cannot access S3 object even though all indications are that I should including policy simulator. Wh
Cannot access S3 object even though all indications are that I should including policy simulator. Wh

Time:02-25

I can use this policy to upload files to my bucket from user A, in group Z. A different user in group B also is in group Z and therefore has the same policy. However, I cannot read the file when logged in as B to the AWS management console. I'm especially mystified because according to the Policy Simulator, this policy (plus the Admin access user B has) should fully enable B to see the file in question.

Instead, user B only gets Access Denied.

Help? I feel like I'm missing something very simple here.

My complete (if redacted) group policy is:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket"
        ],
        "Resource": "arn:aws:s3:::my-bucket"
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject"
        ],
        "Resource": [
            "arn:aws:s3:::my-bucket/*",
            "arn:aws:s3:::my-bucket"
        ]
    }
]

}

My auto-generated bucket policy is:

{
"Version": "2012-10-17",
"Id": "S3-Console-Auto-Gen-Policy-1645709424074",
"Statement": [
    {
        "Sid": "S3PolicyStmt-DO-NOT-MODIFY-1645709423946",
        "Effect": "Allow",
        "Principal": {
            "Service": "logging.s3.amazonaws.com"
        },
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::my-bucket/*"
    }
]

}

My bucket has Block Public Access turned on.

CodePudding user response:

The problem here is that even though you are logged into the AWS console, your authentication does not extend to downloading an S3 object via a simple HTTP GET of the object at https://mybucket.s3.region.amazonaws.com/myfile.png, as would happen if you pasted that URL into a new tab.

Instead, you can generate and use an S3 pre-signed URL to download the object. A pre-signed URL is time-limited and is signed with your secret key so it includes all the auth needed to download the object.

You can use the S3 console, awscli, or any AWS SDK to generate a pre-signed S3 URL, for example:

aws s3 presign s3://mybucket/myfile.png

Note that pre-signed URLs behave somewhat like a bearer token. Whoever has the pre-signed URL can use it to download the object, until it expires.

You can also download individual objects, or even entire buckets of objects, using the awscli (with appropriate authentication).

  • Related