Specifying the correct IAM permission for access to multiple s3 buckets

Question

I am trying to give users read/write/list permissions to certain buckets and my IAM policy is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::kl-bucket1",
                "arn:aws:s3:::kl-bucket2",
                "arn:aws:s3:::kl-bucket3",
                "arn:aws:s3:::kl-bucket4"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::kl-bucket3",
                "arn:aws:s3:::kl-bucket4"
            ]
        }
    ]
}

When I try to write to bucket4 I get an 403 error, however if I give full permission like below then I am able to write to bucket4.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

What could be the issue?

P.S. While this issue is similar to S3: How to grant access to multiple buckets? the actual problem is different.

score 0 · Answer 1 · answered Jan 11 '18 at 11:02

The issue was that I also setting the Access control after PutObject, while the IAM policy was setting that permission.
@Asarluhi's answer helped.
Have modified the Action to:

"Action": [
            "s3:GetObject",
            "s3:PutObject",
            "s3:PutObjectAcl"
        ],

Specifying the correct IAM permission for access to multiple s3 buckets

1 Answers1