By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

List contents of buckets

0

Good afternoon all,

I'm quite new to IAM and policy writing so any help would be appreciated.

Basically i would like to give one of our IAM users access to list the bucket contents but they get "An error occurred (access denied) when calling the ListBuckets operation: Access Denied

This is my policy, what is wrong?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:PutObjectVersionAcl",
"s3:ListBucket",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::Bucketname"
]
}
]
}
Thanks
Simon

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English
SimonUK
asked 3 years ago3453 views
2 Answers
1

Hi Simon,

The error "An error occurred (access denied) when calling the ListBuckets operation: Access Denied" would occur if your user does not have permission to view all the S3 buckets in your account. "ListBuckets" is the name of the API call that is made to list all S3 buckets. The corresponding permission to request this API is "s3:ListAllMyBuckets". Therefore, if your user requires access to view all buckets in your account, or they are accessing the S3 console, you will have to add the "s3:ListAllMyBuckets" to the IAM user's policy.

While framing a policy, it is also important to note that some actions support resource-level permissions and some do not. For example, "s3:ListAllMyBuckets" does not support resource-level permissions and you must specify all resources ("*") for this permission. On the other hand, "s3:ListBucket" which is the permission required to list the contents in your bucket, requires you to specify a bucket as the resource. Permissions like "s3:PutObject" and "s3:GetObject" are object-level permissions, and therefore, you must specify an object as the resource. To get a better understanding of which S3 action supports which resource, you can refer to the following link (It also acts as a handy guide while framing policies):

https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html

So in this case, the correct policy would look as follows:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ObjectPermissions",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:PutObjectVersionAcl",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::Bucketname/"
},
{
"Sid": "ListBucketContents",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::Bucketname"
},
{
"Sid": "ListAllBuckets",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": ""
}
]
}

With this policy attached, the user will have access to list all S3 buckets in your account but will be able to list the contents of only the specified bucket. The user will also be able to upload, download and delete objects from the specified bucket.

Hope this helps :)

AWS
SUPPORT ENGINEER
Deepika_K
answered 3 years ago
0

Thank you so much, that has resolved my problem.

SimonUK
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content