New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support specifying a folder --prefix
#12
Comments
Also covered in this talk: https://youtu.be/Du478i9O_mc at 27:50 |
Here's my annotated version of the example policy from https://aws.amazon.com/premiumsupport/knowledge-center/iam-s3-user-specific-folder/ {
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
// There doesn't seem to be a way to NOT let people see
// the names of the other buckets in an account, while
// still letting them access interfaces that show them
// a list of buckets incluing the ones they can access
//
// s3:GetBucketLocation here is interesting - it lets you
// see what region a bucket is in. I should add that to
// my own policies.
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
// Note that s3:ListBucket allows access to ListObjectsV2
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-company"],
// Since this is StringEquals this is essentially saying
// that permission is granted ONLy to make ListBucket calls
// which either request / or request home/, and that the
// delimiter must be set to /
"Condition":{
"StringEquals":{
"s3:prefix":["","home/"],
"s3:delimiter":["/"]
}
}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-company"],
// This is the thing that allows ListBucket to be called
// on home/David/ or any of its children
"Condition": {
"StringLike":{
"s3:prefix": ["home/David/*"]
}
}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
// This seems overly permissive - it allows ANY s3:*
// action, but only against objects in home/David/
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::my-company/home/David/*"]
}
]
} |
I think I just need those last two: [
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-bucket"],
"Condition": {
"StringLike": {
# Note that prefix must end in / if user wants to limit to a folder
"s3:prefix": [f"{prefix}*"]
}
},
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectLegalHold",
"s3:GetObjectRetention",
"s3:GetObjectTagging",
],
"Resource": [f"arn:aws:s3:::my-bucket/{prefix}*"],
},
] I'll refactor the code so I can use the shared functions for read-only/read-write/write-only in that |
I added a |
--prefix
The |
It looks like it may be possible to create policies that only allow users to read and write files with a specified S3 path prefix: https://aws.amazon.com/premiumsupport/knowledge-center/iam-s3-user-specific-folder/
Supporting that as a feature - maybe with a
--prefix foo/bar
option - could be really neat.The text was updated successfully, but these errors were encountered: