- Más nuevo
- Más votos
- Más comentarios
Hello.
Even if I grant permission to "arn:aws:iam::[my-account-id]:root" in the S3 bucket policy, IAM users are not allowed.
When granting permission to an IAM user, you need to specify the IAM user's ARN like "arn:aws:iam::AWS-account-ID:user/user-name".
"arn:aws:iam::[my-account-id]:root" allows access to "[my-account-id]", but if permission is not set in the IAM policy Unable to access S3.
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html#access_policies-cross-account-delegating-resource-based-policies
Please read this document.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-accounts
When you allow access to a different account, an administrator in that account must then grant access to an identity (IAM user or role) in that account.
Your policy looks good to me.
Try to use the Policy Simulator (https://policysim.aws.amazon.com/home/index.jsp)
It can show you which policy is deying you access.
Thanks. According to the simulator there are no matching statements when I try a ListBucket on the bucket.
Is there a way to query which users would match the ":root" principal?
Contenido relevante
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace un año
Thanks for your reply. I have seen both those documents and they are a big source of my confusion because they describe the purpose of ":root" differently.
You're right that specifying a ":user/username" ARN or giving a user an identity policy makes it work but in both cases the ":root" ARN is simply ignored.
Is this account principal only useful then in cross-account situations? But if so, why is the KMS default key policy like it is if it doesn't do anything for your own account?
"arn:aws:iam::[my-account-id]:root" cannot access S3 even if it is between accounts unless there is a permission action in the IAM policy. The KMS key is described in the documentation, but without "arn:aws:iam::[my-account-id]:root" you will have to rely solely on IAM policy operations. In other words, if there are no IAM policies that can be operated, access rights to KMS will be lost, so I think they are making it possible for even root users to operate.
https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-root-enable-iam