Amazon S3 bucket policy to for federated user

Question

I am trying to give a federated user ( ADFS + SAML + STS ) access to an Amazon S3 bucket . I am trying to give the principal as

  "Principal": {
                "AWS": [
                    "arn:aws:sts: accountid:federated-user/someuser"
                ]
             }

and

"Resource": "arn:aws:s3:::mybucket"

But I cant seem to get the right access . Any pointers on this

@BMW I think I might have done it to avoid rendering an emoji . — Zak, May 25 '18 at 07:34

score 3 · Answer 1 · answered Oct 09 '18 at 13:52

Does the user assume a specific role first before attempting to access the bucket?

If so, try including both the user and the assumed role in your bucket policy, ie

"AWS": [
  "arn:aws:sts::1234567890:assumed-role/User/joe@example.com",
  "arn:aws:iam::1234567890:role/User"
]

Where User is the role name.

score 1 · Answer 2 · answered Mar 04 '22 at 01:06

This might be an old post, but the above answer of @alkalinecoffee did help me figure out the best answer for today

IAM role policies now use Conditions a lot:

{
  "Effect": "Deny",
  "Principal": "*",
  "Action": "s3:*",
  "Resource": [
     "arn:aws:s3:::<s3bucket>",
     "arn:aws:s3:::<s3bucket>/*"
  ],
  Condition = {
    ArnNotEquals = {
      aws:PrincipalArn = [
        "arn:aws:iam::<AccountID>:role/aws-reserved/sso.amazonaws.com/<region>/<rolename>",
        "arn:aws:iam::<AccountID>:assumed-role/<rolename>/<federateduser>"
      ]
   }
}

This will block ALL Users except for the federateduser defined in the ArnNotEquals condition.

"Action": "s3:* is dangerous I lost access to a bucket try to test with "Action": "s3:DeleteObject" which is less harsh — Shivam Anand, May 04 '23 at 13:43
This is just a mere example, you can trim down less action as needed — Rodel, Aug 28 '23 at 06:25

Amazon S3 bucket policy to for federated user

2 Answers2