aws-s3 icon indicating copy to clipboard operation
aws-s3 copied to clipboard
verified publisher icon marcel

Unable to attach IAM role in S3 bucket policy

Open rajasekaran07 opened this issue 9 years ago • 1 comments

Hi Team,

I am trying to provide my s3 bucket access to only specific IAM role instances. I applied below policy but it is not working.

{ "Version": "2008-10-17", "Statement": [ { "Sid": "Stmt1371012493903", "Effect": "Deny", "NotPrincipal": { "AWS": "arn:aws:iam::(Account-no):role/(my-role)" }, "Action": [ "s3:List*", "s3:Get*" ], "Resource": "arn:aws:s3:::my-bucket/*" } ] }

Also I configured aws using aws configure with my temporary access and secret access key using curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ but still I am seeing

curl https://s3.amazonaws.com/my-bucket/myfile.json

<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>1C272502A24D780D</RequestId><HostId>YRP7gKyKfSQRzlKeOx/YpxHCjdh9AlBb80hcfwy9fjAAY9tlDNfmziRhfWzdIkDmgt/TWwT8Ink=</HostId></Error>

Regards, Raja

rajasekaran07 avatar Jan 31 '17 05:01 rajasekaran07

I followed the below link and modified my s3 policy as below I am unable to curl in both account. https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "", "Action": "s3:", "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::bucket/" ], "Condition": { "StringNotLike": { "aws:userId": [ "AROAJZ45MYWZWL7SPA56W:", "27*******646" ] } } } ] }

rajasekaran07 avatar Jan 31 '17 10:01 rajasekaran07