IAM policy to list specific folders inside S3 bucket for user
I have under the keys under the bucket demo.for.customers
demo.for.customers/customer1/
demo.for.customers/customer2/
Now I have 2 clients, namely client1 and client2 . This is what I want:
- Give them access to the demo.for.customers stuff only .
- Client 1 should only have access
demo.for.customers/customer1/
and Client2 should only have accessdemo.for.customers/customer2/
.
And I can achieve this with the below policy (I create a policy for each client, so I only paste it for client1 below). I have defined this policy in IAM, not S3.
{
"Version":"2012-10-17",
"Statement": [
{
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::demo.for.customers"],
"Condition":{"StringEquals":{"s3:prefix":["","customer1/"],"s3:delimiter":["/"]}}
},
{
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::demo.for.customers/customer1/*"]
}
]
}
Problem:
- Client1 can see my entire bucket, although he cannot access any of them. I do not want it. He should only be able to see demo.for.customers
- Client1 can see
demo.for.customers/customer2
, although it cannot access it. This is very unacceptable as I don't want him to even see what other client folders I have under this bucket.
QUESTIONS:
- After doing a lot of searches, I found out that there is no way to list specific buckets . Is it really so?
- However, I need to find a way to list only specific folders inside the bucket for a given user. How to do it?
Thank.
+2
source to share
1 answer
Regarding your problems:
- Unfortunately, there is no way to list only specific buckets. If the goal is only to allow access to one known bucket, then I would completely remove the first statement as it doesn't add any value (the bucket is already known and won't need to be enumerated).
- Can you show the code you are using to list the contents of the bucket? Based on what you showed here, I would expect client1 to be able to display the contents of the bucket at the root of their prefix and nowhere else.
Regarding your questions:
- Yes, there is no way to list some buckets. Codelist APIs are all or nothing.
- This is done with a prefix. What language do you use? We have a sample for the AWS Mobile SDK that uses a Token Vending Machine to deliver per-user access to an S3 bucket .
+1
source to share