Comments (5)
simonw
commented on September 28, 2024
Also covered in this talk: https://youtu.be/Du478i9O_mc at 27:50
from s3-credentials.
simonw
commented on September 28, 2024
Here's my annotated version of the example policy from https://aws.amazon.com/premiumsupport/knowledge-center/iam-s3-user-specific-folder/
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
// There doesn't seem to be a way to NOT let people see
// the names of the other buckets in an account, while
// still letting them access interfaces that show them
// a list of buckets incluing the ones they can access
//
// s3:GetBucketLocation here is interesting - it lets you
// see what region a bucket is in. I should add that to
// my own policies.
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
// Note that s3:ListBucket allows access to ListObjectsV2
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-company"],
// Since this is StringEquals this is essentially saying
// that permission is granted ONLy to make ListBucket calls
// which either request / or request home/, and that the
// delimiter must be set to /
"Condition":{
"StringEquals":{
"s3:prefix":["","home/"],
"s3:delimiter":["/"]
}
}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-company"],
// This is the thing that allows ListBucket to be called
// on home/David/ or any of its children
"Condition": {
"StringLike":{
"s3:prefix": ["home/David/*"]
}
}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
// This seems overly permissive - it allows ANY s3:*
// action, but only against objects in home/David/
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::my-company/home/David/*"]
}
]
}from s3-credentials.
simonw
commented on September 28, 2024
I think I just need those last two:
[
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-bucket"],
"Condition": {
"StringLike": {
# Note that prefix must end in / if user wants to limit to a folder
"s3:prefix": [f"{prefix}*"]
}
},
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectLegalHold",
"s3:GetObjectRetention",
"s3:GetObjectTagging",
],
"Resource": [f"arn:aws:s3:::my-bucket/{prefix}*"],
},
]I'll refactor the code so I can use the shared functions for read-only/read-write/write-only in that "Action" list.
from s3-credentials.
simonw
commented on September 28, 2024
I added a --dry-run option to make this easier to debug.
from s3-credentials.
simonw
commented on September 28, 2024
The --prefix example policy is now in the README in the branch: https://github.com/simonw/s3-credentials/blob/b6f04fd672f642d8c22c9ffc02f292b1b9359a1b/README.md#--prefix-my-prefix
from s3-credentials.
Related Issues (20)
- Way to make an existing bucket public or private HOT 1
- Convert README into documentation website HOT 3
- Make it easier to add extra policy statements HOT 10
- Provide a `--profile` option to allow AWS profile selection HOT 3
- Using --policy should imply --user-permissions-boundary=none HOT 2
- s3-credentials.AmazonS3FullAccess has MaxSessionDuration 3600, should be 12 hours HOT 5
- KeyError if listing bucket with no items returned
- s3-credentials list-buckets --details should show region and website URL, if configured HOT 2
- `s3-credentials get-objects` command HOT 7
- `get-objects/put-objects` `--skip` and `--skip-hash` options HOT 1
- Add the options to add tags to the created resources HOT 3
- `set-public-policy` command HOT 5
- Add s3:PutObjectAcl to write policies HOT 3
- `s3-credentials delete-objects` command HOT 11
- Mysterious test failure in `test_put_objects` HOT 4
- debug-bucket command HOT 3
- Command to make a bucket public HOT 4
- `s3-credentials create name-of-bucket --create-bucket --public` fails with error HOT 4
- `s3-credentials list-bucket --urls` option HOT 1
- CI failures, including ImportError: cannot import name 'mock_s3' from 'moto' HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from s3-credentials.