IAM user access to S3: uploads fail

0

Based on this:
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-policies-s3.html#iam-policy-ex0

I created an IAM user and attached a policy similar to this (the only difference being using the real bucket name instead of "examplebucket"):

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListAllMyBuckets"
         ],
         "Resource":"arn:aws:s3:::*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket",
            "s3:GetBucketLocation"
         ],
         "Resource":"arn:aws:s3:::examplebucket"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:GetObject",
            "s3:GetObjectAcl",
            "s3:DeleteObject"
         ],
         "Resource":"arn:aws:s3:::examplebucket/*"
      }
   ]
}

When I log in as the new IAM user via the console, I can go to S3 and list all the S3 buckets, but there are two problems:

  1. In the main S3 window, there is an "Error" indication in the "Access" column for every bucket. Screenshot here:

https://testify4love.s3-us-west-2.amazonaws.com/maxi_bucket_access_error.jpg

  1. When I try to upload a file to examplebucket or a folder under it, the upload fails.

Any suggestions would be welcome.

asked 3 years ago27 views
4 Answers
0
Accepted Answer

Hi,
Try attaching the following Policy to your user's group. With this policy, I was able to upload files to the specified bucket AND the access column was being displayed properly. Note: the first "Action" is required to properly display the Access column.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetAccountPublicAccessBlock",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicyStatus"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject*"
            ],
            "Resource": [
                "arn:aws:s3:::examplebucket/*",
                "arn:aws:s3:::examplebucket"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::examplebucket/*"
        }
    ]
}

Hope this helps!
-randy

answered 3 years ago
0

Hi Randy - Thanks for your help.

I tried this, and it did cure the "Access" column problem. The proper status, such as "Public" is now displayed. So, progress.

And when I try to upload a file, the blue progress indicator goes to 100%, and says "Successful" -- which it was not doing before -- but then the file does not upload. And there is an error indicated, like this:
https://testify4love.s3-us-west-2.amazonaws.com/maxi_bucket_failures.png

I added your policy to the one I had before. Should I delete the one I had created -- or at least removed it from this user?

Thanks again!

Edited by: mikeh100 on Aug 17, 2019 9:15 PM

answered 3 years ago
0

Yes, please delete the one you created. Let me know if it works.
-randy

answered 3 years ago
0

Thanks, Randy. Unfortunately, that didn't seem to change anything. Looking at the details of the failed upload, it says "forbidden". I find I can download, by the way.

OMG I just realized I had the bucket name wrong! I put "mybucket" in the policy when the name was actually "mybucket.com". When I corrected that, your policy worked. Thank you again, Randy!

Edited by: mikeh100 on Aug 18, 2019 1:29 AM

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions