grant IAM user to access a specific folder in an s3 bucket

Hi Techrunnr Subscribers, this document deals with how to grant IAM user to access a specific folder in an s3 bucket.


AWS provides a storage service called S3( Simple storage service), which allows the user or customer to store the files in s3. Cost of s3 usage is cheaper than any other third party services.
The user can create an s3 bucket and provide access to his team or client using IAM. AWS has improved more in providing permission, as initially, bucket-wise permission was available. Recently AWS has introduced conditional base rules, which makes the AWS admin provide access to bucket or folder on conditionals.

Here I will show to how to grant IAM user to access the specific folder in an s3 bucket.

I have an s3 bucket called techrunnr, and here is my folder structure.

techrunnr
> documents
> media

Here is the overall JSON file for providing permission for a user to access documents folder in the techrunnr bucket.
IAM user will have only access to the documents folder, access to the rest of the folders are denied.

 

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::techrunnr",
"Condition": {
"StringEquals": {
"s3:prefix": [
"documents/",
""
],
"s3:delimiter": "/"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::techrunnr",
"Condition": {
"StringLike": {
"s3:prefix": "documents/*"
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:HeadBucket",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::techrunnr/documents/*"
}
]
}

Here is the above policy separated and explained.

1. First, we should provide the IAM user permission to navigate and list the existing s3 bucket.
For this, we are using the following permission

{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
}

ListAllMyBuckets- grants the user with a permission to list all the buckets in the AWS account.
GetBucketlocation – retrieves the bucket allocated region.

This is required when a user is using any s3 client or AWS management console.

2. Next, we will provide the user list the contents inside the specific bucket.

{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::techrunnr",
"Condition": {
"StringEquals": {
"s3:prefix": [
"documents/",
""
],
"s3:delimiter": "/"
}
}
}

List bucket- grants the user to list the contents inside the bucket including folders and files. Without list bucket, the user will get ACCESS denied error.
Here we are adding addition conditional rule which grants the user to list files or folders under document folder in the techrunnr bucket.

3. Provide the user to list the files and folders in the documents folder.


{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::techrunnr",
"Condition": {
"StringLike": {
"s3:prefix": "documents/*"
}
}
},

4. Provide full access to the user to perform any action in documents folder.

{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::techrunnr/documents/*"
}

Apart from the documents folder, the user won’t be to perform any task in other folder or bucket.

© 2018, Techrunnr. All rights reserved.

#1
#2
#3
Questions Answered
Articles Written
Overall Points
Categories: AWS

Prabhin Prabharkaran

He is Technical professional. He is a person who loves to share tricks and tips on the Internet. He Posts what he does!!

Leave a Reply

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.