How to set ARN as s3 policy resource AWS

Question

I have a bucket called "payroll-manager". I am able to put objects, etc using cognito authenticated users, I modified the role of my identity pool to have full access to s3 (I followed this example). So far so good.

Now I need to change my policy to allow users to only read, write, etc from their own folder. I google on how to do it and I found this example from AWS. I removed the full access to s3 policy from my cognito role and created a policy following this example, the problem is that I always get a forbidden message.

I opened the IAM policy simulator and I find out that I can not even set this simple policy because it always denies me the permission:

If I change the resource to "*" it allows me:

In this example (I only have 1 bucket). Shouldn't be the same to use the resource with * or with ARN?

What should I do to be able to define the policy like AWS?

Have you actually performed a test? `IAM policy simulator` is not always useful in such tests. — Marcin, Mar 03 '21 at 00:04
@Marcin Yes. I also have my localhost vue front end in which I am testing this — Fernando Santiago, Mar 03 '21 at 00:19
The example you pointed to is not for S3. It's for Identity Pool. And, as already pointed out - you won't be able to test in the Simulator. Not everything can be tested there. — Aleksander Wons, Mar 04 '21 at 11:07

score 0 · Answer 1 · answered Mar 03 '21 at 00:03

0

TLDR; what you are doing is the right way to go and it works, fix the test object.

You probably won't be able to emulate cognito's policy because you'd need to set cognito-identity in the simulator somehow.

All you're missing to get the simple policy to pass is set the object arn to match your bucket. You're restricting a policy to payroll-manager but you are testing with *

Try setting the object to arn::aws::s3:::payroll-manager/example.txt to check that the simple policy works

answered Mar 03 '21 at 00:03

Magus

2,905
28
36

Didnt work. I tried this simple policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "arn::aws::s3:::payroll-manager/example.txt" } ] } – Fernando Santiago Mar 03 '21 at 00:21
don't put this on the Resource, it's not in the policy this is a test object, put this on the object text input field, it's the only input on the right side and it has a * by default – Magus Mar 03 '21 at 02:02
It should work in that way, but the idea is to set the path directly in AWS – Fernando Santiago Mar 03 '21 at 05:30

How to set ARN as s3 policy resource AWS

1 Answers1