I am trying to understand how S3 access point works and testing it out. What I am trying to do is that I am allowing an IAM using with Read only permissions to S3 bucket upload files into the bucket through the S3 Access Point. But it's not working as expected. You can see what've done below.
First I have created a IAM user (name is basic
) that has the AmazonS3ReadOnlyAccess
AWS managed policy attached through a user group. That user group has only that policy attached.
Then I in the S3 console, I created an s3 bucket (let's just call it my-dummy-bucket
for now).
After creating the bucket, I created an S3 Access point for the bucket I just created. The access point name is my-first-access-point
and it's not in a VPC and can be accessed via the Internet.
I used the policy below for the Access point when I was creating it.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234567890:user/basic"
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:eu-west-2:1234567890:accesspoint/my-first-access-point/object/basic-user-directory/*"
}
]
}
As you can see, the policy is allowing the basic
user uploading the files/ objects into the basic-user-directory
.
Then I logged into the AWS console as basic
user from the different browser. Then I go to the S3 console. I can see the access point and bucket. Then I go the access point and then try to upload a file into the basic-user-directory
. When I upload the file, I am getting this error.
What is missing in my configuration and how can I fix it?
You must grant the same policy to the bucket itself though you can limit it to the user path. See this document
For the access point policy to effectively grant access to Jane, the underlying bucket must also allow the same access to Jane. You can delegate access control from the bucket to the access point as described in Delegating access control to access points. Or, you can add the following policy to the underlying bucket to grant the necessary permissions to Jane. Note that the Resource entry differs between the access point and bucket policies.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/Jane"
},
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET1/Jane/*"
}]
}