bucket policy vs IAM roles policy

Question

I have a bucket policy mentioning some roles with only get and put object permission. I also have another Role and a separate policy attached to it having multipart upload permission along with KMS decrypt and generate data key permission attached to lambda function. While lambda execution , getting assumed role/lambdaname does not have generatedatakey permission. But the permission is there for the role. Should i add this role along with all permissions in the bucket policy. Does it have preference?
I do have S3 vpc endpoint and kms:generatedatakey and KMS:Decrypt is not present there. Should i mention it there.

Answer

Hi Khalid,

Rather than trying to reword it and be unprecise, I suggest you to go to https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html  to see how resource-based policies and identity-based policies work together.

The doc has nice charts that make it more visual so easier to understand.

![Enter image description here](/media/postImages/original/IMsfiYmbgsTsmRfaE4eKc9JQ)

Best.

Didier

bucket policy vs IAM roles policy

相關內容