Grant s3 user access in bucket level policy

Question

I have minio with bucket named "bucket" and IAM user named "user1"

I'll try to grant access to this bucket with Bucket Level Policy

client = boto3.client('s3', endpoint_url='localhost:9000')

client.put_bucket_policy(Bucket=bucket_name, Policy=bucket_policy)

{
     'Version': '2012-10-17',
     'Statement': [
         {
         "Sid": "1",
         "Effect": "Allow",
         "Principal": "*",
         "Condition": {
             "StringLike": {
                 "arn:aws:iam": [
                     "arn:aws:iam:::user1",
                 ]
             }
         },
         "Action": "s3:*",
         "Resource": [
             "arn:aws:s3:::bucket",
             "arn:aws:s3:::bucket/*"
         ]
        }
     ]
}

But I've got error like this

ClientError: An error occurred (MalformedPolicy) when calling the PutBucketPolicy operation: invalid condition key 'arn:aws:iam'

Answer 1

Do not use a Condition. Instead, use:

{
     'Version': '2012-10-17',
     'Statement': [
         {
         "Effect": "Allow",
         "Principal": "arn:aws:iam::ACCOUNT:user/USERNAME",
         "Action": "s3:*",
         "Resource": [
             "arn:aws:s3:::bucket",
             "arn:aws:s3:::bucket/*"
         ]
        }
     ]
}

However, it is better to put the permissions on the IAM User rather than using a Bucket Policy.

Also, it is very dangerous to grant s3:* permission to a user. This means they can delete objects from the bucket, make the bucket public (not good for confidential information) and even Delete the bucket. It is better to scope-down the permissions being granted.

In boto3, you can use put_user_policy() - Boto3 documentation:

Adds or updates an inline policy document that is embedded in the specified IAM user.

and get_user_policy() - Boto3 documentation:

Retrieves the specified inline policy document that is embedded in the specified IAM user.