1. 技术文章
  2. IAM Policy to list specific folders inside a S3 bucket for an user

IAM Policy to list specific folders inside a S3 bucket for an user

不羁的心 提交于 2020-01-21 16:33:49

问题


I have below keys under the bucket demo.for.customers

demo.for.customers/customer1/
demo.for.customers/customer2/

Now I have 2 customers namely customer1 and customer2. This is what I want:

  1. Grant them access to only demo.for.customers bucket.
  2. customer1 should be able to access only demo.for.customers/customer1/ and customer2 should be able to access only demo.for.customers/customer2/.

And I am able to achieve this with below policy ( I am creating policy for each customer. Hence I am pasting the one only for customer1 below.) I have defined this policy in IAM and not in S3.

{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
   {
      "Action": ["s3:ListBucket"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::demo.for.customers"],
      "Condition":{"StringEquals":{"s3:prefix":["","customer1/"],"s3:delimiter":["/"]}}
   },
    {
      "Effect": "Allow",
      "Action": ["s3:*"],
      "Resource": ["arn:aws:s3:::demo.for.customers/customer1/*"]
    }
]
}

Problem:

  1. Customer1 is able to see all my bucket although he can't access any of them . I don't want this. He should be able to see only demo.for.customers
  2. Customer1 is able to see demo.for.customers/customer2 as well although he can't access it. THis is highly unacceptable as I don't want him to even see what other customer folders I have under this bucket.

QUESTIONS:

  1. After doing a lot of googling, I came to know that there is no way to list specific buckets. Is this really true?
  2. However, I have to find a way to list only specific folders inside a bucket for a given user. How to do that?

Thanks.


回答1:


Regarding your problems:

  1. Unfortunately there is no way to list only certain buckets. If the intent is just to allow access to the one known bucket, I would remove the first statement entirely as it does not add any value (the bucket is already known and would not need to be listed).
  2. Can you show the code you are using to list the bucket contents? Based on what you've shown here I would expect customer1 to only be able to list the bucket contents at the root of their prefix and nowhere else.

Regarding your questions:

  1. Yes, there is no way to list certain buckets. The list buckets API is an all or nothing operation.
  2. This is done by prefix. What language are you using? We have a sample for the AWS Mobile SDKs that uses a Token Vending Machine to deliver per user access to an S3 bucket.


来源:https://stackoverflow.com/questions/20040992/iam-policy-to-list-specific-folders-inside-a-s3-bucket-for-an-user

标签
amazon-web-services
amazon-s3
amazon-iam
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!