By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 Bucket Policy not working for IAM user

0

I am attempting to retrieve files that users upload in a django app and am getting a Access Denied error. I am attempting to use bucket policy below. I have only 1 IAM user and this user has AmazonS3FullAccess. I have no other policies attached to this user. If I do "Principal": "*" files display just fine, so I know there is no problem with my app. I've tried many different bucket policies with my IAM user and each one triggers a Access Denied error. Ive also tried the policy generator as well. I have block public access disabled and tried very liberal CORS configurations as well.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::{ACCOUNT_NUMBER}:user/{IAM_USERNAME}" }, "Action": "s3:", "Resource": "arn:aws:s3:::{BUCKETNAME}/" } ] }

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementIAM Policies
Language
English
a
asked 9 months ago472 views
1 Answer
1

Is the Django app hosted on EC2?
If hosted on EC2, is the IAM role configured on the EC2?
If an IAM role is set up in EC2, the principal of the bucket policy would need to be the ARN of the IAM role.
The bucket policy would be as follows.

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Sid": "Statement1", 
            "Effect": "Allow", 
            "Principal": { 
                "AWS": "arn:aws:iam::{ACCOUNT_NUMBER}:role/{IAM_ROLE_NAME}" 
            }, 
            "Action": "s3:*", 
            "Resource": ["arn:aws:s3:::{BUCKETNAME}/*", "arn:aws:s3:::{BUCKETNAME}"]
        }
    ]
}
profile picture
EXPERT
Riku_Kobayashi
answered 9 months ago
profile picture
EXPERT
Gary Mclean
reviewed 9 months ago
  • a
    9 months ago

    No the app is not currently hosted anywhere. It is under development and I am using a development server ie localhost. I am using boto3 library to allow my app to interface with s3 if that helps.

  • Riku_Kobayashi EXPERT
    9 months ago

    OK. Understood. In other words, am I correct that you are accessing S3 using an access key? Is access available if block public access is enabled? If the IAM policy is configured correctly, there is no need to disable block public access. Also, is there an error log or other output when accessing the app?

  • a
    9 months ago

    Yes this is correct, I am passing AWS keys as env variables using boto3 library. When I turn on "block public access" I cannot view files in my app even with "Principal": "*" added to policy. However I am still able to retrieve file names from s3 which I cannot do without using AWS keys. The error in my app is: AccessDeniedAccessDenied37083u4932BKHTYTHI/HUSIHIFTUW10= (the numerical portion of error is dummy data).

  • Riku_Kobayashi EXPERT
    9 months ago

    If the appropriate permissions are attached to the IAM user, there should be no problem disabling public access. By the way, can you share how the code for the part that lists the S3 objects looks like?

  • a
    9 months ago

    I only have 1 IAM user and the permission attached to this user is** AmazonS3FullAccess**. I dont have any other permissions attached to this user. Below is code for s3 objects retrieval. The code shared displays files with no issue if I have "Principal": "*" in the bucket policy + public access enabled. It also grabs file name and displays them in my app regardless of whether public access is enabled or disabled which leads me to believe connection to bucket via code isnt the issue. Ive swapped real bucket name for BUCKET_NAME.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content