Closed
Description
yep, this works as expected @WolfspiritM AWS IAM policy returns
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::sjm-airlines-1"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"data/",
"data"
],
"s3:delimiter": [
"/"
]
}
}
}
]
}With AWS S3
~ mc ls testuser/sjm-airlines-1/
mc: <ERROR> Unable to stat `testuser/sjm-airlines-1/`. Access Denied.
~ mc ls testuser/sjm-airlines-1/data/
[2019-01-16 21:31:45 PST] 224B hosts
Using this with Minio has same behavior @WolfspiritM .
Now I started looking at the query params a little deeper, looks like when a top-level bucket is provided mc doesn't send prefix="" (empty) value. This actually causes AWS S3 to not honor the policy.
So after modifying mc query params set prefix="" listing completes properly.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::sjm-airlines-1"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"data/",
"data"
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "AllowAllActions",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::sjm-airlines-1/data/*"
]
},
{
"Sid": "AllowAllBucketActionsRead",
"Action": [
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::sjm-airlines-1"
]
}
]
}Here is the final policy which works properly but requires some fixes in mc to pass the appropriate values.
This works with both Minio and AWS IAM. Looks like only fix needed is in mc.
Originally posted by @harshavardhana in minio/minio#7095 (comment)