- 新しい順
- 投票が多い順
- コメントが多い順
Sorry I didn't answer your question clearly.
So is the example here wrong?
Its not wrong but there is warning in link you shared.
Warning: After you change these permissions, the user gets an Access Denied error when they access the main Amazon S3 console. The user must use a direct console link to access the bucket or folder.
So user have to access bucket directly from console like this.
https://s3.console.aws.amazon.com/s3/buckets/DOC-EXAMPLE-BUCKET/
So, my answer is only showing specific bucket in S3 main console is unfortunately impossible.
Hi, That doesn't answer my question. So is the example here wrong? https://repost.aws/knowledge-center/s3-console-access-certain-bucket . I want to grant a user S3 console access to a particular bucket. However, I don't want the user to see other buckets in the account. When I implemented the solution, the user cannot see any bucket at all.
Sorry. I have posted another answer.
@berang_ks I just copied the example (and of course changed the bucket name to my real bucket name). Previously, the action include "s3:ListAllMyBuckets" and the user can see all the buckets. The solution provided says to remove it and just have the "s3:ListBucket". But when I removed "s3:ListAllMyBuckets" the user cannot see any bucket at all.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET" }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject" ], "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" } ] }
Unfortunately it is not possible to limit the console view only to the allowed buckets. By removing s3:ListAllMyBuckets , user will not see any buckets in the console but he/she can access the allowed bucket through console direct link : https://s3.console.aws.amazon.com/s3/buckets/BUCKET_NAME/
This is explained as well at the end of the article you have posted as the reference (look under Warning)
Hi. Because s3:ListBucket is to allow viewing the list of objects, and if you want to allow viewing the list of buckets, there is an action called s3:ListAllMyBuckets.
The link as follows will give you insights.
https://stackoverflow.com/questions/66770970/invalid-action-the-action-s3listobjects-does-not-exist
ListBucket" is used to display objects in S3 buckets as described in the following document.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html
Grants permission to list some or all of the objects in an Amazon S3 bucket (up to 1000)
Therefore, "ListAllMyBuckets" must be used to display the list of buckets.
ListAllMyBuckets" cannot be restricted in the resource section, so it is not possible to list only specific buckets.
In the case of the policy you presented, it is possible to open the bucket details screen if the console URL of the bucket is known.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [ "s3:ListBucket" ],
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
},
{
"Effect": "Allow",
"Action": [ "s3:PutObject", "s3:GetObject" ],
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
}
]
}
@Riku_Kobayashi @_takahash That's it!! I didn't scroll all the way down I didn't see that you can actually get to the bucket directly from the url. Thank you very much!
It would help if you can copy the policy (you might want to redact the account number in your policy and/or change the bucket name).