0

I'm trying to make my AWS environment safer. So, I just created a bucket, no modifications at all, on S3, and want to give a minimal set of permission to my application users. So, I have created an user called keeper, he can, basically, only assume some role that I can specify in his policy. And this is working because I have assume a role and requested a temporary session token for him via CLI. However, in this role I have specified a policy that, is possible to upload a file to a specific path, in my new bucket.

However, this is not working, giving me permission denied. Do I need to specify a bucket policy where it says that it's possible to upload an object to my path ?

If so, what is the meaning of roles then ? I'm a bit confused about resources policy and users/roles/groups policies.

Valter Silva
  • 190
  • 10
  • A bucket with no policy works fine with this configuration. When a bucket policy is *also* present, its *deny* actions will defeat any *allow* in the role if they conflict (deny *always* wins), but the absence of a bucket policy essentially means "allow, only if allowed by another applicable policy." *"in this role I have specified a policy"* -- do you mean, the policy you submitted with the `AssumeRole` request, or the permission policy configured on the role itself? If the latter, did you send a `Policy` with the call to `AssumeRole`? (You shouldn't.) – Michael - sqlbot Sep 09 '16 at 19:40
  • @Michael-sqlbot Thanks for your comment. I didn't specify a policy to my user to assume a role, I can just grant him as a `trusted-entity`. – Valter Silva Sep 13 '16 at 13:23

0 Answers0