DEVHIDE
Login Or Sign up

Unable to upload files to AWS S3 bucket via S3 Access Point

490 Views Asked by At

I am trying to understand how S3 access point works and testing it out. What I am trying to do is that I am allowing an IAM using with Read only permissions to S3 bucket upload files into the bucket through the S3 Access Point. But it's not working as expected. You can see what've done below.

First I have created a IAM user (name is basic) that has the AmazonS3ReadOnlyAccess AWS managed policy attached through a user group. That user group has only that policy attached.

Then I in the S3 console, I created an s3 bucket (let's just call it my-dummy-bucket for now). After creating the bucket, I created an S3 Access point for the bucket I just created. The access point name is my-first-access-point and it's not in a VPC and can be accessed via the Internet.

I used the policy below for the Access point when I was creating it.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1234567890:user/basic"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:eu-west-2:1234567890:accesspoint/my-first-access-point/object/basic-user-directory/*"
        }    
    ]
}

As you can see, the policy is allowing the basic user uploading the files/ objects into the basic-user-directory.

Then I logged into the AWS console as basic user from the different browser. Then I go to the S3 console. I can see the access point and bucket. Then I go the access point and then try to upload a file into the basic-user-directory. When I upload the file, I am getting this error.

enter image description here

enter image description here

What is missing in my configuration and how can I fix it?

amazon-web-services amazon-s3 amazon-s3-access-points
Original Q&A
1

There are 1 best solutions below

0
On BEST ANSWER

You must grant the same policy to the bucket itself though you can limit it to the user path. See this document

For the access point policy to effectively grant access to Jane, the underlying bucket must also allow the same access to Jane. You can delegate access control from the bucket to the access point as described in Delegating access control to access points. Or, you can add the following policy to the underlying bucket to grant the necessary permissions to Jane. Note that the Resource entry differs between the access point and bucket policies.

{
    "Version": "2012-10-17",
    "Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::123456789012:user/Jane"
        },
        "Action": ["s3:GetObject", "s3:PutObject"],
        "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET1/Jane/*"
    }]    
}

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-S3

Related Questions in AMAZON-S3-ACCESS-POINTS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.