Skip to main content
Start a Conversation

Unsolved

mehrshad

1 Rookie

 • 

2 Posts

269

September 14th, 2023 18:44

S3 policy for IAM user

Hello, 
When I set the following policy for an IAM user, the user can no longer see the list buckets (s3 browser and s3 endpoint).
I want to put a policy in place so that the IAM user can only see one bucket and can perform any action on that bucket. 
I tested this on an S3-compatible (Minio) system, and the user's access to one bucket was restricted.
I would appreciate it if you could guide me on how this can be done.

Policy:

{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": "s3:*","Resource": ["arn:aws:s3:::bucket-name","arn:aws:s3:::bucket-name/*"]}]}

1 person also has this problem

DELL-Sam L

Moderator

 • 

7.7K Posts

September 15th, 2023 12:09

Hello mehrshad,

Here are a couple of links to a couple of guides that maybe of assistance.

https://dell.to/3Rnxp9b

https://dell.to/3RuJucy

storageSysAdmin

1 Rookie

 • 

58 Posts

November 14th, 2023 11:49

to setup granular permissions: click on User > Permissions > Add Inline Policy >

and try something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::yourbucket",
        "arn:aws:s3:::yourbucket/*"
      ],
      "Effect": "Allow",
      "Sid": "AllowFullBucketAccess"
    },
    {
      "Action": "s3:CreateBucket",
      "Resource": "*",
      "Effect": "Deny",
      "Sid": "DenyBucketCreation"
    }
  ]
}

in s3 browser right click 'add external bucket' past in yourbucket name exactly and you should have access. 

Holmito

1 Rookie

 • 

5 Posts

January 30th, 2024 09:46

Any luck here?

As soon as I add Resource to a specific bucket I get Access Denied and as soon as I remove it I can see all buckets.

This worked a few weeks ago but not now.

DELL-Josh Cr

Moderator

 • 

9.4K Posts

January 30th, 2024 14:21

Hi,

Thanks for your question.

Were there any changes from a few weeks ago to now? Is it only certain users that it does this to?

 

Let us know if you have any additional questions.

Holmito

1 Rookie

 • 

5 Posts

September 2nd, 2024 08:08

Hi again,

When I apply like the image on a max out privillege S3 user, a specific resource. It´s impossible to connect for a userID with that policy. If I remove the resource it works. 

So I have to mitigate the issue by working with Bucket policy (not as nice).

Any thoughts?

DELL-Josh Cr

Moderator

 • 

9.4K Posts

September 3rd, 2024 13:13

Hi,

Thanks for your question.

This might help https://dell.to/4cTu7BH but it does say using bucket permissions instead of ACLs for permissions issues.

 

 

Let us know if you have any additional questions.

Holmito

1 Rookie

 • 

5 Posts

September 5th, 2024 08:08

Hi,

All good now and it works as design. :) 

Thanks for replies.

Cheers

Michael

Cloudist AB (Sweden)

ECS-noob

1 Rookie

 • 

5 Posts

February 28th, 2025 09:52

With S3, if you grant a user the s3:listAllMyBuckets permission, you cannot limit the result-set there. E.g. user will see all bucket names in the namespace, but access to the buckets might be restricted. This is S3 API working as expected. You'd have to separate users by namespace or not allow them lost ListAllMyBuckets at all, but give them only access to specific buckets instead.

Was this post helpful?

View All

No Events found!

Top