Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Trying to use S3 and IAM Identity Center together

0

I setup an S3 bucket so another company could upload some data to it. They gave me a policy to copy and paste in to allow them to upload to my bucket. After several hours of debugging with no help from the absolutely useless AWS error messages we eventually figured out our regions didn't match (why they have to match when S3 buckets are globally unique I don't know...). I can see the objects in the web interface, so now I have the data! Right? RIGHT?

Nope, I cannot aws cp the data because it says I don't have permission. This seems strange. I created the bucket. It's MY bucket, and the docs say the default is to allow access from your own account. How can I not have permission? I reach out to the other company and they tell me it's because the presence of their policy (the one I copy and pasted) prevents the default that gives me access from activating. If that's true, I could get access by just deleting the policy. However I may need more data from them in the future, so I'd like to add a new statement allowing me to download the data instead.

I'm using IAM Identity Center, so to follow best practice I figure I need to create a user that only has permission to read buckets and not write to them. So I create a user with the ReadOnly permission set. So far so good. Then I try to add a statement to the bucket, with that new user as principal... doesn't work. Nothing I've tried is accepted, I just keep getting the unhelpful "Invalid Principal" message. The docs say you should be able to write "arn:aws:iam::AWS-account-ID:user/user-name-1" with your account ID and IAM Identity Center username substituted in. But that doesn't work, I just get the "Invalid Principal" error message. I've also tried using the User-ID for that user in the IAM Identity Center, and the "Federated user" name that shows up in the upper right corner menu when logged into the console as the new user. Using "arn:aws:iam::AWS-account-ID:root" with the same account ID works, so I know the account ID part is correct.

  • vtjean
    3 years ago

    Could you provide the bucket policy?

  • vtjean
    3 years ago

    Have you considered using AWS S3 Presigned URLs?

  • cantbelievethis
    3 years ago

    Here it is with sensitive info removed

    {
	"Version": "2012-10-17",
	"Id": "Policy1685107691424",
	"Statement": [
		{
			"Sid": "other_company_access",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::{other_company_id}:user/{other_company_user}"
			},
			"Action": "s3:*",
			"Resource": "arn:aws:s3:::{mybucketname}"
		},
		{
			"Sid": "read_only_access",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::{myaccountid}:user/{myiamusername}"
			},
			"Action": "s3:*",
			"Resource": "arn:aws:s3:::{mybucketname}"
		}
	]
}
  • cantbelievethis
    3 years ago

    I haven't looked at presigned URLs. I'd like to understand what about this approach doesn't work before going down the rabbit hole of another approach that will probably break with a different obscure error :P

Topics
Security, Identity, & ComplianceStorage
Tags
AWS IAM Identity CenterAmazon Simple Storage Service
Language
English
asked 3 years ago3.4K views
2 Answers
0

Check NirvaShare, it can solve your problem to provide secure access to the S3 storage using identity center users. You can also manage access at folder level with internal and external users. Marketplace - https://aws.amazon.com/marketplace/pp/prodview-hcqszucfxsvye

answered 10 months ago
-1

IAM Identity Center users do not contain an ARN (IAM ARN is not a substitute). You can allow access to your user to the S3 Bucket would be to use the Identity Center User information (User ID and Username) as a Condition in the S3 Bucket policy.

Example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "UserID",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [ "s3:*"],
            "Resource": "arn:aws:s3:::mybucket/*",
            "Condition": {
                "StringLike": {
                    "aws:userId": "SSOUserID:SSOUserName"
                }
            }
        }
    ]
}
AWS
answered 3 years ago
  • cantbelievethis
    3 years ago

    Didn't work, same error.

    fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden

    I got the user ID from the IAM Identity Center, it's a long hex string with dashes in it, and I used the username listed there too.

  • Marwan
    2 years ago

    Hello, it didn't work also for me, please can you help to fix it

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content