Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Adding policy to STS.assumeRole() angular / javascript

0

I have a user role set up with the following permission:

{
            "Effect": "Allow",
            "Action": ["s3:GetObject", "s3:ListBucket"],
            "Resource": [
                "*"
            ]
        }

Using assumeRole() with this works as expected, however I am trying to programatically restrict access to sub folders so during the assmueRole call I add:

{
            Version: "2012-10-17",
            Statement: [
                {
                    Effect: "Allow",
                    Action: ["s3:GetObject", "s3:ListBucket"],
                    Resource: ["arn:aws:s3:::BUCKET/SUBFOLDER/*"],
                },
            ],
        }

as the policy parameter (after JSON encoding it) but I then get 403 access denied when trying to access any of the folders root or otherwise.

Setting the above as a policy in it's own right works fine too so the policy seems to be formatted correctly

Has anyone had this before or do am I doing something obviously wrong?

Topics
Security, Identity, & Compliance
Tags
IAM Policies
Language
English
asked 3 years ago313 views
1 Answer
0

The resource for a ListBucket is a bucket and the resource for a GetObject is an object. Try splitting the actions out in to their own statements. With the ListBucket you can use a 's3:prefix' condition to restrict it. See: Actions, resources, and condition keys for Amazon S3.

AWS
EXPERT
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content