Resource variable name in AWS IAM policy
I am creating S3 buckets in a program using standard-prefix-{variable}
'. When trying to create an IAM policy so that the user can update, create, and delete buckets in the account, but only if the bucket contains a "standard prefix". IE, I don't want to be allowed to change other buckets in the account. I find many ways to restrict access to resources in a bucket given a specific bucket name, but not restrict access when bucket names change.
Something like (which doesn't seem to work):
"Resource": "arn:aws:s3:::standard-prefix-*"
Examples from AWS Documentation :
A dynamic name based on username is the closest I've found. But I need a substitution for the variable part of the bucket name:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sqs:*",
"Resource": "arn:aws:sqs:us-west-2:*:${aws:username}-queue"
}]
}
Items with the specified bucket name:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition": {"StringLike": {"s3:prefix": ["${aws:username}/*"]}}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/${aws:username}/*"]
}
]
}
source to share
This is a policy that ended in work. When creating baskets, they are given a name such as standard_prefix-20150101
, standard_prefix-20150515
etc. Users with this IAM policy can then do whatever they want on these buckets, but not change the other buckets in the account.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "One",
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"arn:aws:s3:::standard_prefix-*"
]
},
{
"Sid": "Two",
"Effect": "Allow",
"Action": [
"s3:List*"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
source to share