Support specifying a folder --prefix

[simonw]

It looks like it may be possible to create policies that only allow users to read and write files with a specified S3 path prefix: https://aws.amazon.com/premiumsupport/knowledge-center/iam-s3-user-specific-folder/

Supporting that as a feature - maybe with a --prefix foo/bar option - could be really neat.

[simonw]

Also covered in this talk: https://youtu.be/Du478i9O_mc at 27:50

[simonw]

Here's my annotated version of the example policy from https://aws.amazon.com/premiumsupport/knowledge-center/iam-s3-user-specific-folder/

{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Sid": "AllowUserToSeeBucketListInTheConsole",
     // There doesn't seem to be a way to NOT let people see
     // the names of the other buckets in an account, while
     // still letting them access interfaces that show them
     // a list of buckets incluing the ones they can access
     //
     // s3:GetBucketLocation here is interesting - it lets you
     // see what region a bucket is in. I should add that to
     // my own policies.
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": "*"
   },
  {
     "Sid": "AllowRootAndHomeListingOfCompanyBucket",
     // Note that s3:ListBucket allows access to ListObjectsV2
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::my-company"],
     // Since this is StringEquals this is essentially saying
     // that permission is granted ONLy to make ListBucket calls
     // which either request / or request home/, and that the
     // delimiter must be set to /
     "Condition":{
       "StringEquals":{
         "s3:prefix":["","home/"],
         "s3:delimiter":["/"]
        }
      }
    },
   {
     "Sid": "AllowListingOfUserFolder",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::my-company"],
     // This is the thing that allows ListBucket to be called
     // on home/David/ or any of its children
     "Condition": {
       "StringLike":{
         "s3:prefix": ["home/David/*"]
        }
      }
   },
   {
     "Sid": "AllowAllS3ActionsInUserFolder",
     "Effect": "Allow",
     // This seems overly permissive - it allows ANY s3:*
     // action, but only against objects in home/David/
     "Action": ["s3:*"],
     "Resource": ["arn:aws:s3:::my-company/home/David/*"]
   }
 ]
}

[simonw]

I think I just need those last two:

[
    {
        "Action": ["s3:ListBucket"],
        "Effect": "Allow",
        "Resource": ["arn:aws:s3:::my-bucket"],
        "Condition": {
            "StringLike": {
                # Note that prefix must end in / if user wants to limit to a folder
                "s3:prefix": [f"{prefix}*"]
            }
        },
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:GetObject",
            "s3:GetObjectAcl",
            "s3:GetObjectLegalHold",
            "s3:GetObjectRetention",
            "s3:GetObjectTagging",
        ],
        "Resource": [f"arn:aws:s3:::my-bucket/{prefix}*"],
    },
]

I'll refactor the code so I can use the shared functions for read-only/read-write/write-only in that "Action" list.

[simonw]

I added a --dry-run option to make this easier to debug.

• --dry-run option #35

[simonw]

The --prefix example policy is now in the README in the branch: https://github.com/simonw/s3-credentials/blob/b6f04fd672f642d8c22c9ffc02f292b1b9359a1b/README.md#--prefix-my-prefix