Problems specifying a single bucket in a simple AWS user policy

Question

I\'m using AWS IAM STS (via boto) to create credentials for my accessing an S3 bucket. I\'m at a loss as to what\'s wrong in the following policy. I\'ve simplified my poli

Answer 1

Here I get 403 errors when I try to access S3.

How do you actually try to access S3, i.e. by means of which tool, service, API?

Quite often a use case involves S3 API calls addressing a different resource types as well besides the Resource targeted by the policy already. Specifically, you'll need to be aware of the difference between Operations on the Service (e.g. ListAllMyBuckets), Operations on Buckets (e.g. ListBucket) and Operations on Objects (e.g. GetObject).

If your S3 access method implicitly uses any other resource types as well (i.e. besides the object resources you are already addressing via buck_binary_bucket_bay-earth-d5a/*), these require respective additional policies accordingly. For example, the common requirement of being able to list the objects in the bucket via ListBucket before accessing the objects themselves would require a respective policy fragment addressing the bucket like so:

   "Statement":[{
      "Effect":"Allow",
      "Action":"s3:ListBucket",
      "Resource":"arn:aws:s3:::buck_binary_bucket_bay-earth-d5a",
      }
   ]