Amazon-web-services – Why can’t I download files from s3 bucket, when permissions are set

amazon-s3amazon-web-servicespermissions

I was trying to create a bucket and set full permissions for two more accounts. First, I added those accounts in bucket Permissions. Files were still inaccessible. Then, I tried a policy. I created two roles for each account to specify them in it. Here is that policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::id:role/user1",
                    "arn:aws:iam::id:role/user2"
                ]
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucket-name/*",
                "arn:aws:s3:::bucket-name"
            ]
        }
    ]
}

Still nothing. Then I saw, that even though bucket has all the permissions set, files in it don't have any. When I set them for a file, it becomes accessible for other users. But I wouldn't really want to do that for each file I upload. What's wrong?

I tried loading up files with aws cli and set permissions there with a "–grants" option, but after uploading, I can't even download them myself via the aws console.

Best Solution

To demonstrate how this works, I did the following:

  • Created bucket-1 in Account-1
  • Assigned this bucket policy:

.

{
    "Id": "Account1Policy",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowBucketAccess",
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::bucket-1",
                "arn:aws:s3:::bucket-1/*"
            ],
            "Principal": {
                "AWS": [
                    "arn:aws:iam::222222222222:user/account-2-user"
                ]
            }
        }
    ]
}

This policy says: Allow account2:account-2-user to do anything with account1:bucket-1

  • Created account-2-user in Account-2
  • Gave the user this inline policy:

.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowBucket1Access",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-1",
                "arn:aws:s3:::bucket-1/*"
            ]
        }
    ]
}

This policy says: Allow the user to whom this policy is attached permission to do anything with bucket-1

If both the bucket and the user were in the same account, this policy would be sufficient to grant full access to the bucket. However, because bucket-1 actually belongs to a different account, the first policy (above) is also required so that account-1 actually grants access. This means that the 2nd policy isn't actually granting access to the bucket - it is merely granting permission for account-user-2 to make a request to access the bucket. The real access is granted in the first policy.

I then successfully used the credentials of account-2-user to access bucket-1:

$ aws s3 cp foo.txt s3://bucket-1 --profile account-2-user
upload: ./foo.txt to s3://bucket-1/foo.txt    
Related Question