I want to allow access to a folder with certain file extension. I have this policy created:
{
"Version": "2012-10-17",
"Id": "Policy1464968545158",
"Statement": [
{
"Sid": "allow-policy-1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123123:user/myuser-s3-uploader"
},
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::my-bucket/only-allowed-folder/*/*.jpg",
"arn:aws:s3:::my-bucket/only-allowed-folder/*/*.jpeg",
"arn:aws:s3:::my-bucket/only-allowed-folder/*/*.png"
]
},
{
"Sid": "allow-policy-2",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
With this policy, I get access denied always. If I remove the second one, however, allow-policy-2
, it works.
I also replaced "Principal" : "*"
with "arn:aws:iam::123123:user/myuser-s3-uploader"
but get the same behaviour.
Is this because Deny
has precedence over Allow
? Is there a way to achieve this?
FYI, I am using AWS SDK to generate a presigned URL with the same user and then my front-end is using that presigned URL to upload/PUT files. I couldn't find a way to handle this via presigned URL.
CodePudding user response:
Remove deny policy (that you named "allow-policy-2"). On default there is no access granted to any object so I don't see the point of adding deny policy and it looks like it overrides allow policy that you have created as first in the statement ("allow-policy-1")