Granting Access to a Single S3 Bucket Using AWS Identity and Access Management.

Granting Access to a Single S3 Bucket Using AWS Identity and Access Management

Miguel Menéndez

If you have ever used Amazon’s AWS console then you probably know that though sometimes it can be clunky, it has a ton of functionality for interacting with the various AWS services. So when I needed to give one of my coworkers access to one of our S3 buckets, I immediately investigated the laziest option: Figuring out how they could login to the S3 console and use that to manage the bucket.

The S3 console is pretty great. Uploading, downloading, creating folders, managing permissions, even copying and pasting buckets between files is a snap.

After some trial and error, success! I have written a quick guideline on how to do this below.

1. Login to the IAM AWS console

Login here as the owner of the AWS account. Click the IAM tab.

2. Create an account alias

This step is optional, but it gives you a nice login URL for your users. Add an account alias in the AWS Account Alias section of the IAM console. Then, your login URL will be youralias.signin.aws.amazon.com.

If you do not do this, your login page URL will be a bunch of random numbers.

3. Create a new user (and/or a new group)

With IAM you can create a group that has certain permissions, and then assign users to that group. Or, you can just create users piecemeal, but then you cannot reuse permissions.

If you want a group, create it first. Then create a user and assign it to that group.

4. Set a password for the new user

Click the new user you have created and then click the Security Credentials tab. On that page, you can click Manage Password to add a password for your user. Without a password, the user won’t be able to login to the AWS console.

If you have an account alias (youralias.signin.aws.amazon.com), make sure your user knows to use the login page in order to login (they cannot use the regular AWS login page).

You will notice your user also has a AWS access key created: API clients using this key will have the same permissions as the user would in the AWS console.

5. Add permissions for your user

Permissions are added either on the group the user is in, or if you decided not to create a group, the user account itself.

Click the user or group, then click the Permissions tab. Here you can see which permissions policies are currently attached to the group or user. Click the Attach Policy button. You will get a pop-up where you can Manage User Permissions. Here you can select a prerolled policy, use the Policy Generator, or just paste in a custom policy.

There are two permissions that need to be added in order for your user to be able to login, see the bucket list in the S3 console, and manage the one bucket you have assigned.

To manage the bucket, you need to grant the s3:* action for the bucket you designate. AWS policies designate resources by their Amazon Resource Name, or ARN and for S3 buckets, they look like: arn:aws:s3:::yourbucketname. So to grant your user full access to your bucket, you had paste the policy:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
{
  "Version": "2012-10-17",
  "Statement": [{
    "Action": "s3:*",
    "Effect": "Allow",
    "Resource": [
      "arn:aws:s3:::yourbucketname",
      "arn:aws:s3:::yourbucketname/*"
    ]
  }]
}

Now, you would think that this would be enough to enable the user to use the S3 console to manage the bucket, but you’d be wrong. Turns out the user needs one more permission to do the initial listing of the buckets in order to be able to select a bucket, and its called s3:ListAllMyBuckets. You need to add that permissions too, and it looks like this:

1
2
3
4
5
6
7
8
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "s3:ListAllMyBuckets",
    "Resource": "arn:aws:s3:::*"
  }]
}

6. The full merged JSON object

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "s3:*",
    "Resource": [
      "arn:aws:s3:::yourbucketname",
      "arn:aws:s3:::yourbucketname/*"
    ]},
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "arn:aws:s3:::*"
    }]
}

7. Done!

You’re done. Give the user their credentials and the login page, and then bask in the glory of laziness.

Source: AWS Documentation.

Comments

Found a bug? Do you think something could be improved? Feel free to let me know and I will be happy to take a look.