Mike Ferrier

I beat code into submission.

Granting Access to a Single S3 Bucket Using Amazon IAM

If you’ve ever used Amazon’s AWS console then you probably know that though sometimes it can be clunky, it has a ton of functionality for interacting with the various AWS serivces. So when I needed to give one of my coworkers at 4ormat access to one of our S3 buckets, I immediately investigated the laziest option: figuring out how they could login to the S3 console and use that to manage the bucket.

The S3 console is pretty great. Uploading, downloading, creating folders, managing permissions, even copying and pasting buckets between files is a snap. If I could figure this out, I would save myself all the work of setting up S3Fox or even worse, writing an interface from scratch.

After some trial and error, success! I’ve written a quick guideline on how to do this below.

1. Login to the IAM AWS console

Login here as the owner of the AWS account. Click the IAM tab.

2. Create an account alias

This step is optional, but it gives you a nice login URL for your users. Add an account alias in the AWS Account Alias section of the IAM console. Then, your login URL will be youralias.signin.aws.amazon.com.

If you don’t do this, your login page URL will be a bunch of random numbers.

3. Create a new group or a new user

With IAM you can create a group that has certain permissions, and then assign users to that group. Or, you can just create users piecemeal, but then you can’t reuse permissions.

If you want a group, create it first. Then create a user and assign it to that group.

4. Set a password for the new user

Click the new user you’ve created and then click the Security Credentials tab. On that page, you can click Manage Password to add a password for your user. Without a password, the user won’t be able to login to the AWS console.

Make sure your user knows to use the login page from step #2 in order to login — they can’t use the regular AWS login page.

You’ll notice your user also has a AWS access key created: API clients using this key will have the same permissions as the user would in the AWS console.

5. Add permissions for your user

Permissions are added either on the group the user is in, or if you decided not to create a group, the user account itself.

Click the user or group, then click the Permissions tab. Here you can see which permissions policies are currently attached to the group or user. Click the Attach Policy button. You’ll get a pop-up where you can Manage User Permissions. Here you can select a prerolled policy, use the Policy Generator, or just paste in a custom policy.

There are two permissions that need to be added in order for your user to be able to login, see the bucket list in the S3 console, and manage the one bucket you’ve assigned.

To manage the bucket, you need to grant the s3:* action for the bucket you designate. AWS policies designate resources by their Amazon Resource Name, or ARN and for S3 buckets, they look like: arn:aws:s3:::bucket-name-here. So to grant your user full access to your bucket, you’d paste the policy:

1
2
3
4
5
6
7
8
9
10
11
12
{
  "Statement": [
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::4ormat-knowledge-base",
        "arn:aws:s3:::4ormat-knowledge-base/*"
      ]
    }
  ]
}

Now, you would think that this would be enough to enable the user to use the S3 console to manage the bucket, but you’d be wrong. Turns out the user needs one more permission to do the initial listing of the buckets in order to be able to select a bucket, and its called s3:ListAllMyBuckets. You need to add that permissions too, and it looks like this:

1
2
3
4
5
6
7
8
9
{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

6. Done!

You’re done. Give the user their credentials and the login page, and then bask in the glory of laziness.

Update Jul 31st, 2013 — Jay Klehr in the comments posted the full merged JSON object for those having trouble merging them together:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::4ormat-knowledge-base",
                "arn:aws:s3:::4ormat-knowledge-base/*"
            ]
        }
    ]
}

Comments