I'm using AWS IAM STS (via boto) to create credentials for my accessing an S3 bucket. I'm at a loss as to what's wrong in the following policy. I've simplified my policy down as much as possible and am still getting unexpected results.
When I get the token for the user I attach the following policy:
user_policy_string = r'{"Statement":[{"Effect":"Allow","Action": "s3:*","Resource":"arn:aws:s3:::*"}]}'
This works, but is obviously a little too permissive. In narrowing down the permissions associated with these credentials I attempt to use the same policy, but specify the bucket:
user_policy_string = r'{"Statement":[{"Effect":"Allow","Action": "s3:*","Resource":"arn:aws:s3:::buck_binary_bucket_bay-earth-d5a/*"}]}'
Here I get 403 errors when I try to access S3. Based on the AWS docs I'm sure this is the way to address a specific bucket in the policy, so I'm at a loss as to what could be causing this restriction. Am I referring to the bucket incorrectly?
In the S3 console, the policy is empty (have tried adding a totally permissive policy as well). For the AWS account used to generate the STS tokens, the policy is as follows:
"Statement": [
{
"Effect": "Allow",
"Action": "sts:GetFederationToken",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:GetUser",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
Here I get 403 errors when I try to access S3.
How do you actually try to access S3, i.e. by means of which tool, service, API?
Quite often a use case involves S3 API calls addressing a different resource types as well besides the Resource targeted by the policy already. Specifically, you'll need to be aware of the difference between Operations on the Service (e.g. ListAllMyBuckets), Operations on Buckets (e.g. ListBucket) and Operations on Objects (e.g. GetObject).
If your S3 access method implicitly uses any other resource types as well (i.e. besides the object resources you are already addressing via buck_binary_bucket_bay-earth-d5a/*), these require respective additional policies accordingly. For example, the common requirement of being able to list the objects in the bucket via ListBucket before accessing the objects themselves would require a respective policy fragment addressing the bucket like so:
"Statement":[{
"Effect":"Allow",
"Action":"s3:ListBucket",
"Resource":"arn:aws:s3:::buck_binary_bucket_bay-earth-d5a",
}
]
来源:https://stackoverflow.com/questions/9089125/problems-specifying-a-single-bucket-in-a-simple-aws-user-policy