How to set correct IAM permission for users to get read-only rights to a specific prefix? #342
-
|
I aim to develop an IAM policy that grants users read-only access to all files within a specific path in a bucket. I have 3 questions on this topic: First, I wrote an IAM policy based on aws/s3-folder-user-access, but it does not meet my requirements. {
"ID": "",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStatement1",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"NotAction": [],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::MY-BUCKET"],
"NotResource": [],
"Condition": {}
},
{
"Sid": "AllowStatement2A",
"Action": ["s3:ListBucket"],
"NotAction": [],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::MY-BUCKET"],
"NotResource": [],
"Condition": {
"StringEquals": {
"s3:prefix": ["", "read-only/"],
"s3:delimiter": ["/"]
}
}
},
{
"Sid": "AllowStatement3",
"Action": ["s3:ListBucket"],
"NotAction": [],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::MY-BUCKET"],
"NotResource": [],
"Condition": {
"StringLike": {
"s3:prefix": ["read-only/*"]
}
}
},
{
"Sid": "AllowStatement4A",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetObjectAttributes",
"s3:GetObjectLegalHold",
"s3:GetObjectRetention"
],
"NotAction": [],
"Resource": ["arn:aws:s3:::MY-BUCKET/read-only/*"],
"NotResource": [],
"Condition": {}
}
]
}With the IAM policy above, I can see the MY-BUCKET bucket, but when I click in, no read-only folder appears. So I have to remove the condition keys: {
"ID": "",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStatement1",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"NotAction": [],
"Resource": [
"arn:aws:s3:::MY-BUCKET"
],
"NotResource": [],
"Condition": {}
},
{
"Sid": "AllowStatement2A",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"NotAction": [],
"Resource": [
"arn:aws:s3:::MY-BUCKET"
],
"NotResource": [],
"Condition": {}
},
{
"Sid": "AllowStatement3",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"NotAction": [],
"Resource": [
"arn:aws:s3:::MY-BUCKET"
],
"NotResource": [],
"Condition": {
"StringLike": {
"s3:prefix": "read-only/*"
}
}
},
{
"Sid": "AllowStatement4A",
"Effect": "Allow",
"Action": [
"s3:GetObjectAttributes",
"s3:GetObjectLegalHold",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetObjectRetention"
],
"NotAction": [],
"Resource": [
"arn:aws:s3:::MY-BUCKET/read-only/*"
],
"NotResource": [],
"Condition": {}
}
]
}Although I can now see the read-only folder, this would allow users with that policy to view other folders/prefixes under MY-BUCKET. I'm unsure how to create an IAM policy that meets my requirements. Second, it seems that if a user can log in to the console, he/she can change the IAM policy assigned to he/she and even modify other IAM policies. Is this intended or by design? Third, the IAM policy does not seem to allow the use of wildcard format like Version: rustfs 1.0.0-alpha.38 |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 2 replies
-
|
@BobAnkh , Yes.
|
Beta Was this translation helpful? Give feedback.
-
|
@loverustfs Thank you for your reply. I understand the second point, and for the first point:
I want to further confirm that, |
Beta Was this translation helpful? Give feedback.
-
My colleagues and I will get back to you after confirmation. |
Beta Was this translation helpful? Give feedback.
-
|
@BobAnkh I'm so sorry. There is no way to implement this function now unless the IAM code is adjusted. |
Beta Was this translation helpful? Give feedback.
-
|
Ok, thank you for your reply anyway. |
Beta Was this translation helpful? Give feedback.
@BobAnkh I'm so sorry.
There is no way to implement this function now unless the IAM code is adjusted.