Home > front end >  Allowing access to only a single file in AWS S3 from IAM policy
Allowing access to only a single file in AWS S3 from IAM policy

Time:10-22

I am trying to allow access to only a particular file within a S3 folder & tried below IAM policy

"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "s3:GetLifecycleConfiguration",
            "s3:GetBucketTagging",
            "s3:GetInventoryConfiguration",
            "s3:GetObjectVersionTagging",
            "s3:ListBucketVersions",
            "s3:GetBucketLogging",
            "s3:ListBucket",
            "s3:GetAccelerateConfiguration",
            "s3:GetBucketPolicy",
            "s3:GetObjectVersionTorrent",
            "s3:GetObjectAcl",
            "s3:GetEncryptionConfiguration",
            "s3:GetBucketObjectLockConfiguration",
            "s3:GetIntelligentTieringConfiguration",
            "s3:GetBucketRequestPayment",
            "s3:GetObjectVersionAcl",
            "s3:GetObjectTagging",
            "s3:GetMetricsConfiguration",
            "s3:GetBucketOwnershipControls",
            "s3:GetBucketPublicAccessBlock",
            "s3:GetBucketPolicyStatus",
            "s3:ListBucketMultipartUploads",
            "s3:GetObjectRetention",
            "s3:GetBucketWebsite",
            "s3:GetBucketVersioning",
            "s3:GetBucketAcl",
            "s3:GetObjectLegalHold",
            "s3:GetBucketNotification",
            "s3:GetReplicationConfiguration",
            "s3:ListMultipartUploadParts",
            "s3:GetObject",
            "s3:GetObjectTorrent",
            "s3:GetBucketCORS",
            "s3:GetAnalyticsConfiguration",
            "s3:GetObjectVersionForReplication",
            "s3:GetBucketLocation",
            "s3:GetObjectVersion"
        ],
        "Resource": [
            "arn:aws:s3:::prod-bucket/folder1/folder2/*",
            "arn:aws:s3:::prod-bucket/folder3/folder4/my_file.csv",
        ]
    }
]

I am able to read all objects inside folder2 but while trying to read the my_file.csv inside folder4 it is not able to fetch it. Is there something wrong with the syntax ? I tried multiple ways but couldn't figure out how to restrict to read only a particular file .

CodePudding user response:

You can use the AWS Policy Generator for it if you don't know how to write and you can have something like this.

{
  "Id": "VisualEditor0",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1634859177800",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::prod-bucket/folder3/folder4/my_file.csv",
      "Principal": "*"
    },
    {
      "Sid": "Stmt1634859274600",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::prod-bucket/folder1/folder2/*",
      "Principal": "*"
    }
  ]
}

CodePudding user response:

This policy worked for me:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "s3:GetObject",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::my-bucket/folder3/folder4/my_file.csv"
        }
    ]
}

I put that policy on an IAM User, then used the AWS CLI (as that user) with:

aws s3 cp s3://my-bucket/folder3/folder4/my_file.csv -

It successfully printed the file to my screen that I had uploaded under that name. (The hyphen sends it to stdout.)

Page link:https//www.codepudding.com/frontend/162776.html

Prev:"Handler'lambda_handler' missing on module 'lambda_function'", "e
Next:Loop iam resources terraform
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding