ruby-on-railsamazon-web-servicesamazon-s3identity-management

Why is an ARN for an S3 bucket invalid?


Sorry if a basic question but very new to AWS: Essentially I am following a tutorial and creating permissions for an S3 Bucket for a Ruby on Rails App.

The first ARN I created is fine no issues:

arn:aws:s3:::learning-path-blog-jon

However, the tutorial then says to create another ARN so as access all files using the * wildcard like this:

arn:aws:s3:::learning-path-blog-jon/*

However, when I try to do this I get the "Entered ARN is invalid." message?

I am trying to work around this but so far no luck - as I say brand new to AWS.

For full context the JSON view of my policy editor looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::learning-path-blog-jon"
        }
    ]
}

Could anyone please advise how I can alter the arn:aws:s3:::learning-path-blog-jon/* to be valid or else add the equivalent to the JSON?


Solution

  • Some API calls (eg ListBucket) operate on the bucket and therefore need permission on

    arn:aws:s3:::learning-path-blog-jon
    

    Some API calls (eg GetObject) operate on objects and therefore need permission on:

    arn:aws:s3:::learning-path-blog-jon/*
    

    Those ones can even be restricted to certain paths, such as:

    arn:aws:s3:::learning-path-blog-jon/public/*
    

    This grants permission on any objects with a path that starts with public/.

    You could therefore supply two different statements:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:ListBucket"
                ],
                "Resource": "arn:aws:s3:::learning-path-blog-jon"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "s3:PutObject",
                    "s3:GetObject",
                    "s3:DeleteObject",
                    "s3:PutObjectAcl"
                ],
                "Resource": "arn:aws:s3:::learning-path-blog-jon/*"
            }
        ]
    }
    

    But it is typically easier to combine them into one statement:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:PutObject",
                    "s3:GetObject",
                    "s3:ListBucket",
                    "s3:DeleteObject",
                    "s3:PutObjectAcl"
                ],
                "Resource": [
                    "arn:aws:s3:::learning-path-blog-jon",
                    "arn:aws:s3:::learning-path-blog-jon/*"
                ]
            }
        ]
    }