By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IAM how to give access to list certain buckets

0

HI folks,

I feel like this should be super simple, but I think i have everything enabled as it should be.

I have a user, to whom I've given a policy like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ]
        }
    ]
}

However, he cannot see the bucket in the bucket list view. No buckets are listed. I would think, since I've given the user the action s3* for that bucket, they should be able to see that bucket listed. Am I wrong?

Cheers.

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS Identity and Access Management
Language
English
tomhamiltonstubber
asked a year ago620 views
3 Answers
1

What you've done is fine for accessing the bucket. But to have the S3 Console working properly they need "s3:GetBucketLocation", "s3:ListAllMyBuckets" allowed.

EXPERT
skinsman
answered a year ago
  • tomhamiltonstubber
    a year ago

    This was the answer. Important to note that the ListAllMyBuckets perm needs to have no resource restrictions.

  • skinsman EXPERT
    a year ago

    Glad it worked! If you get around to it, please hit Accept on this answer to help future people searching fot the solution.

0

Check for a bucket policy that is blocking access. Or an SCP. You can investigate using the Policy Simulator. Make sure to fill out the Resource in the simulator.

profile pictureAWS
EXPERT
kentrad
answered a year ago
0

Hello!

Granting the s3:* permission to a user allows them to perform any action on the S3 bucket and its objects, but it does not necessarily grant them the permission to list the bucket. To list the buckets, the user needs the s3:ListAllMyBuckets permission.

To grant the s3:ListAllMyBuckets permission to the user, you can add a statement to their policy like this:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": "" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:" ], "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] } ] }

Note that granting the s3:ListAllMyBuckets permission allows the user to list all the S3 buckets in your AWS account, so make sure to review and restrict the user's access as needed.

Let me know if that answered your question

AWS
EXPERT
ZJon
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content