Home > OS >  Unable to add policy based on tags for s3 objects
Unable to add policy based on tags for s3 objects

Time:10-18

I am new to AWS and I have a scenario where i need to give access to s3 objects based on tags. I created IAM user and attached following policy to the user using my root account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/role": "developer"
                }
            }
        }
    ]
}

Now I have bucket with many files and tagged one file with tag role and value as developer so that my user can see only one file I tagged.

https://imgur.com/a/tEe0rCw

https://imgur.com/a/Npq9gb4

But when i login with IAM user, I am not seeing any buckets. Ideally i expected i would see bucket with relevant file (file with right tag)

https://imgur.com/a/t7GSlxS

I tried several other options, but none of the options worked. Another option I tried is

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListObject"
            ],
            "Resource": "arn:aws:s3:::general-eda/*",
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/role": "developer"
                }
            }
        }
    ]
}

Am i doing anything wrong or should user have any other permissions so that tags will work as expected. Any help is appreciated.

Edit1: Based on comments I edited my policy but still not working

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListObject"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/role": "developer"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        }
    ]
}

CodePudding user response:

Your policy is basically saying "Allow this person to do anything on AWS as long as the object has a tag of role:develop".

However, very few API calls to AWS can use this Condition. They are: DeleteObjectTagging, DeleteObjectVersionTagging, GetObject, GetObjectAcl, GetObjectAttributes, GetObjectTagging, GetObjectVersion, GetObjectVersionAcl, GetObjectVersionAttributes, GetObjectVersionTagging, PutObjectAcl, PutObjectTagging, PutObjectVersionAcl, PutObjectVersionTagging

See: Actions, resources, and condition keys for Amazon S3 - Service Authorization Reference

Therefore, any API call that is not one of the above will fail due to the Condition in your IAM policy.

To list the contents of a bucket, you would need to grant s3:ListBucket permission to the user.

Page link:https//www.codepudding.com/os/579741.html

Prev:Mock the result of cursor.execute() when using cx_Oracle for unit testing
Next:Determining Foreground Color of Text in Google Slides When the Text Uses Multiple Foreground Colors
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding