IAM user access to S3: uploads fail

Question

Based on this:  
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-policies-s3.html#iam-policy-ex0  
  
I created an IAM user and attached a policy similar to this (the only difference being using the real  bucket name instead of "examplebucket"):

```
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListAllMyBuckets"
         ],
         "Resource":"arn:aws:s3:::*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket",
            "s3:GetBucketLocation"
         ],
         "Resource":"arn:aws:s3:::examplebucket"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:GetObject",
            "s3:GetObjectAcl",
            "s3:DeleteObject"
         ],
         "Resource":"arn:aws:s3:::examplebucket/*"
      }
   ]
}
```

When I log in as the new IAM user via the console, I can go to S3 and list all the S3 buckets, but there are two problems:  
  
1) In the main S3 window, there is an "Error" indication in the "Access" column for every bucket.  Screenshot here:

2) When I try to upload a file to examplebucket or a folder under it, the upload fails.  
  
Any suggestions would be welcome.

Accepted Answer

Hi,  
Try attaching the following Policy to your user's group. With this policy, I was able to upload files to the specified bucket AND the access column was being displayed properly. Note: the first "Action" is required to properly display the Access column.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetAccountPublicAccessBlock",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicyStatus"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject*"
            ],
            "Resource": [
                "arn:aws:s3:::examplebucket/*",
                "arn:aws:s3:::examplebucket"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::examplebucket/*"
        }
    ]
}
```

Hope this helps!  
-randy

Answer

Thanks, Randy.  Unfortunately, that didn't seem to change anything.  Looking at the details of the failed upload, it says "forbidden".  I find I can download, by the way.  
  
OMG I just realized I had the bucket name wrong!  I put "mybucket" in the policy when the name was actually "mybucket.com".  When I corrected that, your policy worked. Thank you again, Randy!  
  
Edited by: mikeh100 on Aug 18, 2019 1:29 AM

Answer

Yes, please delete the one you created. Let me know if it works.  
-randy

Answer

Hi Randy -  Thanks for your help.  
  
I tried this, and it did cure the "Access" column problem.  The proper status, such as "Public" is now displayed.  So, progress.  
  
And when I try to upload a file, the blue progress indicator goes to 100%, and says "Successful" -- which it was not doing before -- but then the file does not upload.  And there is an error indicated, like this:

I added your policy to the one I had before.  Should I delete the one I had created -- or at least removed it from this user?  
  
Thanks again!  
  
Edited by: mikeh100 on Aug 17, 2019 9:15 PM

IAM user access to S3: uploads fail

Relevanter Inhalt