S3 Policy not working when resource is specified

Question

I have a rails app set up to upload files to S3 I have an IAM user with an inline policy attached to the user.

When I use the following policy everything works just fine:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Stmt1494133349000",
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "*"
        ]
    }
]
}

Now when I try to specify the ARN of my bucket, I get an access denied error in my app.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Stmt1494133349000",
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::my-bucket"
        ]
    }
]
}

The ARN is copied directly from my bucket. No clue why the second policy doesnt work. It should according to everything i've read.

score 5 · Accepted Answer · answered May 07 '17 at 23:50

5

This is your bucket:

"Resource": [
        "arn:aws:s3:::my-bucket"
]

This is your bucket and the objects in your bucket:

"Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
]

answered May 07 '17 at 23:50

Michael - sqlbot

169,571
25
353
427

That's it exactly! For whatever reason I assumed that giving access to the bucket gave access to it's object as well. Thanks! – Justin May 08 '17 at 01:01

S3 Policy not working when resource is specified

1 Answers1