3

I'm trying to write an IAM policy to do the following:

  • Allow user to access a specific bucket
  • Only be able to upload a selected few types of files.. based on extensions
  • Allow to create a folder in that bucket

I've managed to do the first two, but I'm unable to get the third requirement to work. This is what I've tried:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListAllMyBuckets"
        ],
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:ListBucket"
        ],
        "Resource": [
            "arn:aws:s3:::bucketxxx"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectVersion"
        ],
        "Resource": [
            "arn:aws:s3:::bucketxxx/*.mp4",
            "arn:aws:s3:::bucketxxx/*.pdf",
            "arn:aws:s3:::bucketxxx/*.jpg",
            "arn:aws:s3:::bucketxxx/*.png",
            "arn:aws:s3:::bucketxxx/*.xlsx",
            "arn:aws:s3:::bucketxxx/*.csv"
        ]
    }
]

}

Nigel Fds
  • 803
  • 2
  • 12
  • 29
  • Why do you mean by "folders"? There is no such concept in S3 as folders. AWS console only visual represents keys with slashes as "folders". – Marcin Apr 08 '21 at 06:13
  • 2
    ofcourse there is! if I use the above permission to create folder it gives this error: Insufficient permission to create folder After you or your AWS administrator have updated your permissions to allow the s3:PutObject action, choose – Nigel Fds Apr 08 '21 at 06:33
  • What is an example of the folder name? Because your policy seems to allow only, e.g., `bucketxxx/folder1/file.mp4`, not ` `bucketxxx/folder1/`. – Marcin Apr 08 '21 at 06:35
  • yes that's what I cant figure out – Nigel Fds Apr 08 '21 at 07:52
  • Hi, have you managed to get this working? – Matthias Sep 21 '22 at 08:41

1 Answers1

0

You might add "arn:aws:s3:::bucketxxx/*/", to your list of resources. As @marcin mentions, "folders" are just 0-byte objects whose name happens to end in a trailing slash.

jesse-gardner-sentry
  • 127
  • 3