It took me a while to figure this out. Googling helped, but the answers are not obvious. So, you have IAM user and you want to grant that user complete read-write access to some bucket. Catch is that you need two statements to achieve this. Here is full bucket policy (just replace “YourIAMUser” and “YourBucketName” in the policy below):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | { "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Principal": { "AWS": "arn:aws:iam::821707826313:user/YourIAMUser" }, "Resource": [ "arn:aws:s3:::YourBucketName" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Principal": { "AWS": "arn:aws:iam::821707826313:user/YourIAMUser" }, "Resource": [ "arn:aws:s3:::YourBucketName/*" ] } ] } |
So, explanation now – as I already mentioned, notice that we have two separate statements (lines 3-14 and 15-28).
- First one allow IAM user to “list buckets” (line 6) and resource given here is just plain ARN to the bucket (line 12)
- Second statement gives that IAM user permissions on objects in bucket (lines 18-20), but resource given here is path to your bucket plus “/*” (line 26). This is the key thing I was missing when trying to create policy using AWS policy tool.
Hope this helps you!