Giving an AWS IAM User access to a single bucket

This is just my notes on the subject of granting access to a S3 bucket to an AWS IAM User. Figuring it out was much harder than it should have been...

  • Create an IAM user
  • Create a S3 bucket.
  • Configure aws-cli on your system with a profile for the new user.
  • Edit the bucket policy and paste the following into it. Replacing placeholders as needed.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::NNNNNNNNNNNN:user/NEWUSER"
            },
            "Action": ["s3:*"],
            "Resource": "arn:aws:s3:::NEWBUCKET"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::NNNNNNNNNNNN:user/NEWUSER"
            },
            "Action": ["s3:*"],
            "Resource": "arn:aws:s3:::NEWBUCKET/*"
        }
    ]
}

That should grant your user all S3 permissions only on the bucket you are adding the policy to. Remember that if you apply other policies to that buck via AWS's security manager, this could mess up. Also, remember you can limit things to specific actions by listing them in the Actions field.

The key thing for me was the second statement. My upload would not work until I added the statement with the "/*" on the end of the bucket resource.

Oh, and please double check the new bucket's security before you are done. Don't just copy paste from here and think you're perfectly fine.

 

Submitted by david.reagan on