Allow access to whole S3 Bucket to IAM user

It took me a while to figure this out. Googling helped, but the answers are not obvious. So, you have IAM user and you want to grant that user complete read-write access to some bucket. Catch is that you need two statements to achieve this. Here is full bucket policy (just replace “YourIAMUser” and “YourBucketName” in the policy below):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Principal": {
                "AWS": "arn:aws:iam::821707826313:user/YourIAMUser"
            },
            "Resource": [
                "arn:aws:s3:::YourBucketName"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Principal": {
                "AWS": "arn:aws:iam::821707826313:user/YourIAMUser"
            },
            "Resource": [
                "arn:aws:s3:::YourBucketName/*"
            ]
        }
    ]
}

So, explanation now – as I already mentioned, notice that we have two separate statements (lines 3-14 and 15-28).

  • First one allow IAM user to “list buckets” (line 6) and resource given here is just plain ARN to the bucket (line 12)
  • Second statement gives that IAM user permissions on objects in bucket (lines 18-20), but resource given here is path to your bucket plus “/*” (line 26). This is the key thing I was missing when trying to create policy using AWS policy tool.

Hope this helps you!

This entry was posted in Uncategorized. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback.

Leave a Reply

Your email address will not be published. Required fields are marked *

Your email address will never be published.