Monday, January 19, 2015

s3cmd needs "s3:ListAllMyBuckets" action to be allowed during initial configuration

If we want to create restrictive IAM user policy that allows only bucket upload, then the below policy will work

{
  "Id": "Policy1421692784857",
  "Statement": [
    {
      "Sid": "Stmt1421692783042",
      "Action": [
          "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::root/*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<account_name>:user/<bucket_name>"
        ]
      }
    }
  ]
}

You could use a policy similar to above and use aws cli to upload to the bucket. However, if you are using s3cmd utility, then the initial configuration requires s3:ListAllMyBuckets" action to be allowed as for "s3cmd --configure" to work correctly. However, per AWS documentation "ListAllMyBuckets" cannot be specified for a particular bucket - "The following example user policy grants the s3:CreateBuckets3:ListAllMyBuckets, and the s3:GetBucketLocation permissions to a user. Note that for all these permissions, you set the relative-id part of the ResourceARN to "*". For all other bucket actions, you must specify a bucket name. For more information, see Specifying Resources in a Policy."

Instead your IAM policy should look like

{
  "Statement": [
    {
      "Sid": "Stmt1421700917471",
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Sid": "Stmt1421701147331",
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::<bucket_name>/*"
    }
  ]
}

No comments:

Post a Comment