Grant access to a single folder in the bucket by AWS STS token

Question

I need to allow an anonymous user to access a single folder in the Amazon S3 bucket by providing an STS Token.

I found a guide on how to provide an access to a user-specific folders in one bucket based on policies and policy variables. There you use long-term user keys. Would that be possible to implemented something similar but using the STS tokens and only one user vs. multiple users each having their own folders?

score 2 · Answer 1 · answered Sep 01 '17 at 14:08

When you call AssumeRole through the STS service you include a policy document that specifies what permissions the temporary credentials will have. In that policy document you would specify the exact S3 permissions you want this user to have. You wouldn't need to use policy variables because you are generating a policy document for a single user at that point (no user variable needed because you know who the exact user is in this scenario).

Your policy document would look something like this (replacing my-bucket and my-folder with the actual bucket name and folder name you want to grant the specific user access to):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*"
            ],
            "Resource": "arn:aws:s3:::my-bucket/my-folder/*"
        }
    ]
}

Cool, thanks. Going to figure out if the same user can be used in a shared environment with simultaneous requests with different policy documents at the same time. — Evgeny, Sep 03 '17 at 23:54
@Evgeny did you figured it out? Can the same user be used in a shared environment with simultaneous requests with different policy documents at the same time? — Ondrej Bozek, Feb 03 '19 at 20:45

Grant access to a single folder in the bucket by AWS STS token

1 Answers1