I am trying to give a programmatic IAM user access to a single bucket.
I setup the following policy and attached it to the user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mybucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*"
]
}
]
}
Trying to programatically upload a file I got a 403.
I got this policy from here:
Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket
I verified that everything else is working by then adding an AWS managed policy, AmazonS3FullAccess, after which my upload succeeded. But I would rather not give this user full access.
There are no other policies attached to this user.
You can try this policy to give full access to a particular bucket:
{
"Version": "2012-10-17",
"Statement": [{
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<BUCKETNAME>/*"
]
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
}
Since you are providing Put, Get, Delete, You might as well provide full access to the particular bucket.
Nothing is wrong with your policy. Make sure you're using the right bucket name in the IAM policy and to add the policy to the user.
You can test it with IAM Policy Simulator. Maybe you should consider the time to policies take effect, but it's "almost immediately". See this answer.
来源:https://stackoverflow.com/questions/49836658/what-is-wrong-with-my-aws-policy