Sorry if a basic question but very new to AWS: Essentially I am following a tutorial and creating permissions for an S3 Bucket for a Ruby on Rails App.
The first ARN I created is fine no issues:
arn:aws:s3:::learning-path-blog-jon
However, the tutorial then says to create another ARN so as access all files using the * wildcard like this:
arn:aws:s3:::learning-path-blog-jon/*
However, when I try to do this I get the "Entered ARN is invalid." message?
I am trying to work around this but so far no luck - as I say brand new to AWS.
For full context the JSON view of my policy editor looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::learning-path-blog-jon"
}
]
}
Could anyone please advise how I can alter the arn:aws:s3:::learning-path-blog-jon/*
to be valid or else add the equivalent to the JSON?
Some API calls (eg ListBucket
) operate on the bucket and therefore need permission on
arn:aws:s3:::learning-path-blog-jon
Some API calls (eg GetObject
) operate on objects and therefore need permission on:
arn:aws:s3:::learning-path-blog-jon/*
Those ones can even be restricted to certain paths, such as:
arn:aws:s3:::learning-path-blog-jon/public/*
This grants permission on any objects with a path that starts with public/
.
You could therefore supply two different statements:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::learning-path-blog-jon"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::learning-path-blog-jon/*"
}
]
}
But it is typically easier to combine them into one statement:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::learning-path-blog-jon",
"arn:aws:s3:::learning-path-blog-jon/*"
]
}
]
}